Notice: BIND Security Jul2013 CVE2013-4854

Sat Jul 27 14:50:13 UTC 2013

There may be a web link I'm missing, but I have found that they are
available on ISC's ftp site.

ftp://ftp.isc.org/isc/bind9

On Sat, 2013-07-27 at 17:08 +0300, Emil Natan wrote:
> How the downloads can be verified? Are there any checksums/signatures
> available? Thanks.
> 
> 
> On Fri, Jul 26, 2013 at 11:46 PM, ISC Security Officer
> <security-officer at isc.org> wrote:
>         IMPORTANT: The security issue described below has been confirmed by ISC
>         to be 'in the wild' as of 18:00UTC July 26, and exploitation of this
>         vulnerability against production servers has been reported by multiple
>         organizations. Please be advised that immediate action is recommended.
>         
>         A specially crafted query can cause BIND to terminate
>         CVE:                   CVE-2013-4854
>         Document Version:      2.0
>         Posting date:          26 July 2013
>         Program Impacted:      BIND
>         Versions affected:     Open source: 9.7.0->9.7.7, 9.8.0->9.8.5-P1,
>                                9.9.0->9.9.3-P1, 9.8.6b1 and 9.9.4b1;
>                                Subscription: 9.9.3-S1 and 9.9.4-S1b1
>         Severity:              Critical
>         Exploitable:           Remotely
>         Description:
>         
>            A specially crafted query that includes malformed rdata can cause
>            named to terminate with an assertion failure while rejecting the
>            malformed query.
>         
>            BIND 9.6 and BIND 9.6-ESV are unaffected by this problem.  Earlier
>            branches of BIND 9 are believed to be unaffected but have not
>            been tested.  BIND 10 is also unaffected by this issue.
>         
>            Please Note: All versions of BIND 9.7 are known to be affected,
>            but these branches are beyond their "end of life" (EOL) and no
>            longer receive testing or security fixes from ISC. For current
>            information on which versions are actively supported, please see
>         
>         http://www.isc.org/downloads/software-support-policy/bind-software-status/.
>         
>         Impact:
>         
>            Authoritative and recursive servers are equally vulnerable.
>            Intentional exploitation of this condition can cause a denial
>            of service in all nameservers running affected versions of BIND
>            9.  Access Control Lists do not provide any protection from
>            malicious clients.
>         
>            In addition to the named server, applications built using libraries
>            from the affected source distributions may crash with assertion
>            failures triggered in the same fashion.
>         
>         CVSS Score:  7.8
>         
>         CVSS Equation:  (AV:N/AC:L/Au:N/C:N/I:N/A:C)
>         
>         For more information on the Common Vulnerability Scoring System and
>         to obtain your specific environmental score please visit:
>         http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)
>         
>         
>         Workarounds:
>         
>            No known workarounds at this time.
>         
>         Active exploits:
>         
>            Crashes have been reported by multiple ISC customers.  First
>            observed in the wild on 26 July 2013, 18:00 UTC.
>         
>         Solution:
>         
>            Upgrade to the patched release most closely related to your
>            current version of BIND.  Open source versions can all be
>            downloaded from http://www.isc.org/downloads.  Subscription
>            version customers will be contacted directly by ISC Support
>            regarding delivery.
>         
>            BIND 9 version 9.8.5-P2
>            BIND 9 version 9.9.3-P2
>            BIND 9 version 9.9.3-S1-P1 (Subscription version available via DNSco)
>         
>         Acknowledgements:
>         
>            ISC would like to thank Maxim Shudrak and the HP Zero Day
>            Initiative for reporting this issue.
>         
>         Document Revision History:
>         
>            1.0 Phase One Advance Notification, 18 July 2013
>            1.1 Phases Two and Three Advance Notification, 26 July 2013
>            2.0 Notification to public (Phase Four), 26 July 2013
>         
>         Related Documents:
>         
>            Spanish Translation:     planned
>            Japanese Translation:    https://kb.isc.org/article/AA-01023
>            Portuguese Translation:  https://kb.isc.org/article/AA-01021
>         
>         
>         See our BIND Security Matrix for a complete listing of Security
>         Vulnerabilities and versions affected.
>         
>         This Knowledge Base article https://kb.isc.org/article/AA-01016
>         provides additional information and Frequently Asked Questions about
>         this advisory.
>         
>         If you'd like more information on our product support or about our
>         Subscription versions of BIND, please visit http://www.dns-co.com/solutions
>         
>         Do you still have questions?  Questions regarding this advisory
>         should go to security-officer at isc.org.  To report a new issue,
>         please encrypt your message using security-officer at isc.org's PGP
>         key which can be found here:
>         
>           https://www.isc.org/downloads/software-support-policy/openpgp-key
>         
>         If you are unable to use encrypted email, you may also report new
>         issues at: https://www.isc.org/mission/contact/.
>         
>         Note:
>         
>            ISC patches only currently supported versions. When possible we
>            indicate EOL versions affected.
>         
>         ISC Security Vulnerability Disclosure Policy:
>         
>            Details of our current security advisory policy and practice can
>            be found here: ISC Software Defect and Security Vulnerability
>            Disclosure Policy
>         
>         This Knowledge Base article https://kb.isc.org/article/AA-01015
>         is the complete and official security advisory document.
>         
>         Legal Disclaimer:
>         
>            Internet Systems Consortium (ISC) is providing this notice on
>            an "AS IS" basis. No warranty or guarantee of any kind is expressed
>            in this notice and none should be implied. ISC expressly excludes
>            and disclaims any warranties regarding this notice or materials
>            referred to in this notice, including, without limitation, any
>            implied warranty of merchantability, fitness for a particular
>            purpose, absence of hidden defects, or of non-infringement. Your
>            use or reliance on this notice or materials referred to in this
>            notice is at your own risk. ISC may change this notice at any
>            time.  A stand-alone copy or paraphrase of the text of this
>            document that omits the document URL is an uncontrolled copy.
>            Uncontrolled copies may lack important information, be out of
>            date, or contain factual errors.
>         
>         (c) 2001-2013 Internet Systems Consortium
>         
>         _______________________________________________
>         Please visit https://lists.isc.org/mailman/listinfo/bind-users
>         to unsubscribe from this list
>         
>         bind-users mailing list
>         bind-users at lists.isc.org
>         https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> plain text document attachment (ATT00001)
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users