Update to CVE 2010-3613

[Larissa Shapiro]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ISC has updated CVE 2010-3613 and the associated operational guidance
based on feedback from one of our forum members. The update changes
affected versions to include versions of BIND 9 back to 9.0.x. Please
review carefully and respond appropriately if you are running an
affected version.

Best Regards,

Larissa

Larissa Shapiro
ISC Product Manager

- ----------------------------------------------------------------------

Updated CVE:

BIND: cache incorrectly allows a ncache entry and a rrsig for the same type

Summary: Failure to clear existing RRSIG records when a NO DATA is
negatively cached could cause subsequent lookups to crash named.

CVE:  CVE-2010-3613
CERT: VU#706148
Posting date: 01 Dec 2010
Revision: 14 December 2010
Program Impacted: BIND
Versions affected: 9.0.x to 9.7.2-P2, 9.4-ESV to 9.4-ESV-R3, 9.6-ESV to
9.6-ESV-R2
Severity: High
Exploitable: remotely

Description: Adding certain types of negative signed responses to cache
doesn't clear any matching RRSIG records already in cache. A subsequent
lookup of the cached data can cause named to crash (INSIST).

CVSS Base Score: 7.8 - (AV:N/AC:L/Au:N/C:N/I:N/A:C)
For more on CVSS scores and to calculate your environment's specific
risk, please visit:
http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Impact and Risk Assessment: The INSIST crashes the server.
This vulnerability affects recursive nameservers irrespective of whether
DNSSEC validation is enabled or disabled.

Workarounds: none
Active exploits: None known at this time.

Solution:
The versions listed below are supported by ISC.  All other versions are
End of Life, and will not be patched.  If you are running a version not
listed below, you should upgrade as soon as possible.
9.4.x: upgrade to 9.4-ESV-R4, or newer
9.6.x: upgrade to 9.6.2-P3 or newer
9.6-ESV: upgrade to 9.6-ESV-R3 or newer
9.7.x: upgrade to 9.7.2-P3

Acknowledgment: Shinichi Furuso

Revision History:
24 November 2010: Corrected/Updated: Versions affected, CVSS Score,
Impact, Risk Assessment and Solution
14 December 2010: Updated Versions Affected, Solution and Acknowledgment
For more information please contact bind9-bugs at isc.org

-
-----------------------------------------------------------------------------------
Updated Guidance Text:

CVE: CVE-2010-3613
CERT: VU#706148
BIND: cache incorrectly allows a ncache entry and a rrsig for the same type

Although the defect is very unlikely to be encountered in normal>
operation, if your recursive resolver is being used to query public
Internet zones and you cannot readily restrict your client queries then
there is the potential for a remote attacker to cause your nameserver to
crash.

Note particularly that disabling DNSSEC validation is NOT an effective
workaround.

 * We recommend that you plan to upgrade immediately if ALL of the
following apply to your BIND installation:
       a) You are operating a recursive server which obtains answers
from public Internet zones.
       b) You are running any version of BIND 9 including or prior to:
9.6.2 - 9.6.2-P2, 9.4-ESV - 9.6-ESV-R2, 9.7.0 - 9.7.2-P2
       c) The DNS clients accessing your resolver constitute a large
pool and are not under you control or you can not limit access only to
machines with full trust.

  * We suggest that you put this upgrade in your plans for 2011 if you
are not operating recursive DNS servers.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNB5RCAAoJEBOIp87tasiUZcMH/jFqkwCA1QBj8utQ13690aIF
VIGZfDAriYyFx/nUxu0B67ZbTKcjWxbPr1MBlPKh911Hy7ZmPRYAsu3YWPFLsUTd
+zzoKI7u3T8jrSp9TdgKdjzJPJIhOTABJoUNoZaJIjVM3VhUN0ha/RupGDXNz8tB
J7nv0q8AiTOZlWFOGP8LzLxCI7SQxevmNBmaeOVbvrNJt8Bla4MMQhJss01qxmBa
aq5FXPFZ9BQKHIZacspbeVrKjtOW1nU0FVZHBUwVK3CbnYGTAW9vVvVo3qBcb5vT
h0rRHoa5R8QQfG4mVHmreZIBdpRs/3BtXUAGhnN0a3KVR2QQl7wOFDkXSYhKi64=
=WvDz
-----END PGP SIGNATURE-----