Security Advisory: Server Lockup Upon IXFR or DDNS Update Combined with High Query Rate

Dennis Clarke dclarke at blastwave.org
Wed Feb 23 04:26:17 UTC 2011 

Sorry for the top post but there is no data yet at
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0414. I'll assume
that is coming along. I have 9.7.3 ready for relase on Solaris 8 and 9 and
10 however I wanted to refer to the various security info sites.

Do you know if the folks at nist are doing an update ?

-- 
Dennis Clarke
dclarke at opensolaris.ca  <- Email related to the open source Solaris
dclarke at blastwave.org   <- Email related to open source for Solaris


------------------

>                                     Internet Systems Consortium Security
> Advisory
>
> Title: Server Lockup Upon IXFR or DDNS Update Combined with High Query
> Rate
>
> (http://www.isc.org/software/bind/advisories/cve-2011-0414)
>
> CVE-2011-0414
>
> VU#559980
>
> CVSS: 7.1  (AV:N/AC:M/Au:N/C:N/I:N/A:C)
> for more information on the Common Vulnerability Scoring System and to
> obtain your specific environmental score please visit:
> http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
> <http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>
>
> Posting date: 2011-02-22
>
> Program Impacted: BIND
>
> Versions affected: 9.7.1-9.7.2-P3
>
> Severity: High
>
> Exploitable: Remotely
>
> Description and Impact:
>
> When an authoritative server processes a successful IXFR transfer or a
> dynamic update, there is a small window of time during which the
> IXFR/update coupled with a query may cause a deadlock to occur. This
> deadlock will cause the server to stop processing all requests. A high
> query rate and/or a high update rate will increase the probability of
> this condition.
>
> Workaround:
>
> Depending on your performance requirements, a work-around may be
> available. ISC was not able to reproduce this defect in 9.7.2 using -n
> 1, which causes named to use only one worker thread, thus avoiding the
> deadlock. If your server is powerful enough to serve your data with a
> single processor, this option may be fast to implement until you have
> time to perform an upgrade.
>
> Active exploits: None known, but a description of the issue is available
> in the release notes for BIND 9.6.3 and 9.7.3.
>
> Solution: If you run BIND 9.7.1 or 9.7.2, upgrade to BIND 9.7.3. Earlier
> versions are not vulnerable. If you run BIND 9.6.x, 9.6-ESV-R?, or
> 9.4-ESV-R4, you do not need to upgrade. BIND 9.5 is End of Life and is
> not supported by ISC. BIND 9.8 is not vulnerable.
>
> Credits: Thank you to Neustar for finding the initial defect and JPRS
> for further testing and analysis.
>
> Questions regarding this advisory or ISC's Support services should be
> sent to bind9-bugs at isc.org <mailto:bind9-bugs at isc.org>
> For more information on ISC's support, consulting, training, and other
> services, visit
> http://www.isc.org/community/blog/201102/open-source-software-unsupported-isnt-it

More information about the bind-users mailing list