ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
Adam Tkac
atkac at redhat.com
Tue Mar 26 16:32:35 UTC 2013
Hello,
if I understand correctly, this isn't issue in BIND itself but it is some memory
leak in underlying regexp library (glibc in Linux case). Can you please clarify
which exact flaw in glibc (or other regex implementation) makes BIND vulnerable
to remote DoS? Is it already reported to regex library developers? Was it
already fixed (and how)?
I'm asking because from distribution point of view it's better to address this
flaw directly in regex implementation which will automatically make BIND
invulnerable.
Thank you in advance for response.
Regards, Adam
On Tue, Mar 26, 2013 at 12:01:50PM -0400, ISC Support Staff wrote:
> A critical defect in BIND 9 allows an attacker to cause excessive
>
> memory consumption in named or other programs linked to libdns.
>
>
>
> CVE: CVE-2013-2266
>
> Document Version: 2.0
>
> Posting date: 26 March 2013
>
> Program Impacted: BIND
>
> Versions affected: "Unix" versions of BIND 9.7.x, 9.8.0 -> 9.8.5b1,
>
> 9.9.0 -> 9.9.3b1. (Windows versions are not
> affected.
>
> Versions of BIND 9 prior to BIND 9.7.0 (including
>
> BIND 9.6-ESV) are not affected. BIND 10 is
>
> not affected.)
>
> Severity: Critical
>
> Exploitable: Remotely
>
> Description:
>
>
>
> A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled
>
> on Unix and related operating systems, allows an attacker to
>
> deliberately cause excessive memory consumption by the named
>
> process, potentially resulting in exhaustion of memory resources
>
> on the affected server. This condition can crash BIND 9 and
>
> will likely severely affect operation of other programs running
>
> on the same machine.
>
>
>
> Please Note: Versions of BIND 9.7 are beyond their "end of life"
>
> (EOL) and no longer receive testing or security fixes from ISC.
>
> However, the re-compilation method described in the "Workarounds"
>
> section of this document will prevent exploitation in BIND 9.7
>
> as well as in currently supported versions.
>
>
>
> For current information on which versions are actively supported,
>
> please seehttp://www.isc.org/software/bind/versions.
>
>
>
> Additional information is available in the CVE-2013-2266 FAQ and
>
> Supplemental Information article in the ISC Knowledge base,
>
> https://kb.isc.org/article/AA-00879.
>
>
>
> Impact:
>
>
>
> Intentional exploitation of this condition can cause denial of
>
> service in all authoritative and recursive nameservers running
>
> affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0
>
> through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1
>
> (inclusive)]. Additionally, other services which run on the
>
> same physical machine as an affected BIND server could be
>
> compromised as well through exhaustion of system memory.
>
>
>
> Programs using the libdns library from affected versions of BIND
>
> are also potentially vulnerable to exploitation of this bug if
>
> they can be forced to accept input which triggers the condition.
>
> Tools which are linked against libdns (e.g. dig) should also be
>
> rebuilt or upgraded, even if named is not being used.
>
>
>
> CVSS Score: 7.8
>
>
>
> CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
>
>
>
> For more information on the Common Vulnerability Scoring System
>
> and to obtain your specific environmental score please visit:
>
>
>
> http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)
>
>
>
> Workarounds:
>
>
>
> Patched versions are available (see the "Solutions:" section
>
> below) or operators can prevent exploitation of this bug in any
>
> affected version of BIND 9 by compiling without regular expression
>
> support.
>
>
>
> Compilation without regular expression support:
>
>
>
> BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1),
>
> and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely
>
> safe from this bug by re-compiling the source with regular
>
> expression support disabled. In order to disable inclusion
>
> of regular expression support:
>
>
>
> - After configuring BIND features as desired using the configure
>
> script in the top level source directory, manually edit the
>
> "config.h" header file that was produced by the configure
>
> script.
>
>
>
> - Locate the line that reads "#define HAVE_REGEX_H 1" and
>
> replace the contents of that line with "#undef
>
> HAVE_REGEX_H".
>
>
>
> - Run "make clean" to remove any previously compiled object
>
> files from the BIND 9 source directory, then proceed to
>
> make and install BIND normally.
>
>
>
> Active exploits:
>
>
>
> No known active exploits.
>
>
>
> Solution:
>
>
>
> Compile BIND 9 without regular expression support as described
>
> in the "Workarounds" section of this advisory or upgrade to the
>
> patched release most closely related to your current version of
>
> BIND. These can be downloaded fromhttp://www.isc.org/downloads/all.
>
>
>
> BIND 9 version 9.8.4-P2
>
> BIND 9 version 9.9.2-P2
>
>
>
> Acknowledgements:
>
>
>
> ISC would like to thank Matthew Horsfall of Dyn, Inc. for
>
> discovering this bug and bringing it to our attention.
>
>
>
> Document Revision History:
>
>
>
> 1.0 Phase One - Advance Notification, 11 March 2013
>
> 1.1 Phase Two & Three, 25 March 2013
>
> 2.0 Notification to Public (Phase Four), 26 March 2013
>
>
>
> Related Documents:
>
>
>
> Japanese Translation:https://kb.isc.org/article/AA-00881
>
> Spanish Translation:https://kb.isc.org/article/AA-00882
>
> German Translation:https://kb.isc.org/article/AA-00883
>
> Portuguese Translation:https://kb.isc.org/article/AA-00884
>
>
>
> See our BIND Security Matrix for a complete listing of Security
>
> Vulnerabilities and versions affected.
>
>
>
> If you'd like more information on our product support please visit
> www.isc.org/support.
>
>
>
> Do you still have questions? Questions regarding this advisory
>
> should go tosecurity-officer at isc.org
>
>
>
> Note:
>
>
>
> ISC patches only currently supported versions. When possible we
>
> indicate EOL versions affected.
>
>
>
> ISC Security Vulnerability Disclosure Policy: Details of our current
>
> security advisory policy and practice can be found here:
>
> https://www.isc.org/security-vulnerability-disclosure-policy
>
>
>
> This Knowledge Base articlehttps://kb.isc.org/article/AA-00871 is
>
> the complete and official security advisory document.
>
>
>
> Legal Disclaimer:
>
>
>
> Internet Systems Consortium (ISC) is providing this notice on
>
> an "AS IS" basis. No warranty or guarantee of any kind is expressed
>
> in this notice and none should be implied. ISC expressly excludes
>
> and disclaims any warranties regarding this notice or materials
>
> referred to in this notice, including, without limitation, any
>
> implied warranty of merchantability, fitness for a particular
>
> purpose, absence of hidden defects, or of non-infringement. Your
>
> use or reliance on this notice or materials referred to in this
>
> notice is at your own risk. ISC may change this notice at any
>
> time. A stand-alone copy or paraphrase of the text of this
>
> document that omits the document URL is an uncontrolled copy.
>
> Uncontrolled copies may lack important information, be out of
>
> date, or contain factual errors.
>
>
>
> (c) 2001-2013 Internet Systems Consortium
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Adam Tkac, Red Hat, Inc.
More information about the bind-users
mailing list