BIND Security Advisory (CVE-2009-0025; Severity: Low)
David Coulthart
davec at columbia.edu
Thu Jan 8 14:10:42 UTC 2009
On Jan 7, 2009, at 2:32 PM, Rob_Austein at isc.org wrote:
> Internet Systems Consortium Security Advisory.
> BIND: EVP_VerifyFinal() and DSA_do_verify() return checks.
> 7 January 2009
>
> Versions affected:
>
> BIND 9.0 (all versions)
> BIND 9.1 (all versions)
> BIND 9.2 (all versions)
> BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6
> BIND 9.4.0, 9.4.1, 9.4.2, 9.4.3
> BIND 9.5.0, 9.5.1
> BIND 9.6.0
>
> Severity: Low.
>
> Description:
>
> Return values from OpenSSL library functions EVP_VerifyFinal()
> and DSA_do_verify() were not checked properly.
>
> Impact:
>
> It is theoretically possible to spoof answers returned from
> zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6).
<snip>
Would someone be able to provide some more details as to what
particular configurations of BIND this affects? My interpretation is
it only impacts recursive nameservers that have DNSSEC validation
enabled. Speaking in terms of BIND config options, the dnssec-
validation option would need to be set to yes (so just having the
default of dnssec-enable set to yes isn't enough to make the server
vulnerable). Is this a correct interpretation?
Thanks,
Dave Coulthart
More information about the bind-users
mailing list