ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named

Mark Andrews marka at isc.org
Tue Mar 26 20:58:27 UTC 2013 

In message <20130326163235.GA31738 at redhat.com>, Adam Tkac writes:
> Hello,
> 
> if I understand correctly, this isn't issue in BIND itself but it is some memory
> leak in underlying regexp library (glibc in Linux case). Can you please clarify
> which exact flaw in glibc (or other regex implementation) makes BIND vulnerable
> to remote DoS? Is it already reported to regex library developers? Was it
> already fixed (and how)?
> 
> I'm asking because from distribution point of view it's better to address this
> flaw directly in regex implementation which will automatically make BIND
> invulnerable.
> 
> Thank you in advance for response.
> 
> Regards, Adam

While I understand your issues bind-users isn't the forum to answer them.

Mark
 
> On Tue, Mar 26, 2013 at 12:01:50PM -0400, ISC Support Staff wrote:
> > A critical defect in BIND 9 allows an attacker to cause excessive
> > 
> > memory consumption in named or other programs linked to libdns.
> > 
> > 
> > 
> > CVE:                  CVE-2013-2266
> > 
> > Document Version:     2.0
> > 
> > Posting date:         26 March 2013
> > 
> > Program Impacted:     BIND
> > 
> > Versions affected:    "Unix" versions of  BIND 9.7.x, 9.8.0 -> 9.8.5b1,
> > 
> >                       9.9.0 -> 9.9.3b1.  (Windows versions are not
> > affected.
> > 
> >                       Versions of BIND 9 prior to BIND 9.7.0 (including
> > 
> >                       BIND 9.6-ESV) are not affected.  BIND 10 is
> > 
> >                       not affected.)
> > 
> > Severity:             Critical
> > 
> > Exploitable:          Remotely
> > 
> > Description:
> > 
> > 
> > 
> >    A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled
> > 
> >    on Unix and related operating systems, allows an attacker to
> > 
> >    deliberately cause excessive memory consumption by the named
> > 
> >    process, potentially resulting in exhaustion of memory resources
> > 
> >    on the affected server.  This condition can crash BIND 9 and
> > 
> >    will likely severely affect operation of other programs running
> > 
> >    on the same machine.
> > 
> > 
> > 
> >    Please Note: Versions of BIND 9.7 are beyond their "end of life"
> > 
> >    (EOL) and no longer receive testing or security fixes from ISC.
> > 
> >    However, the re-compilation method described in the "Workarounds"
> > 
> >    section of this document will prevent exploitation in BIND 9.7
> > 
> >    as well as in currently supported versions.
> > 
> > 
> > 
> >    For current information on which versions are actively supported,
> > 
> >    please seehttp://www.isc.org/software/bind/versions.
> > 
> > 
> > 
> >    Additional information is available in the CVE-2013-2266 FAQ and
> > 
> >    Supplemental Information article in the ISC Knowledge base,
> > 
> >    https://kb.isc.org/article/AA-00879.
> > 
> > 
> > 
> > Impact:
> > 
> > 
> > 
> >    Intentional exploitation of this condition can cause denial of
> > 
> >    service in all authoritative and recursive nameservers running
> > 
> >    affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0
> > 
> >    through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1
> > 
> >    (inclusive)].   Additionally, other services which run on the
> > 
> >    same physical machine as an affected BIND server could be
> > 
> >    compromised as well through exhaustion of system memory.
> > 
> > 
> > 
> >    Programs using the libdns library from affected versions of BIND
> > 
> >    are also potentially vulnerable to exploitation of this bug if
> > 
> >    they can be forced to accept input which triggers the condition.
> > 
> >    Tools which are linked against libdns (e.g. dig) should also be
> > 
> >    rebuilt or upgraded, even if named is not being used.
> > 
> > 
> > 
> > CVSS Score:  7.8
> > 
> > 
> > 
> > CVSS Equation:  (AV:N/AC:L/Au:N/C:N/I:N/A:C)
> > 
> > 
> > 
> >    For more information on the Common Vulnerability Scoring System
> > 
> >    and to obtain your specific environmental score please visit:
> > 
> > 
> > 
> > http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)
> > 
> > 
> > 
> > Workarounds:
> > 
> > 
> > 
> >    Patched versions are available (see the "Solutions:" section
> > 
> >    below) or operators can prevent exploitation of this bug in any
> > 
> >    affected version of BIND 9 by compiling without regular expression
> > 
> >    support.
> > 
> > 
> > 
> >    Compilation without regular expression support:
> > 
> > 
> > 
> >       BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1),
> > 
> >       and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely
> > 
> >       safe from this bug by re-compiling the source with regular
> > 
> >       expression support disabled.  In order to disable inclusion
> > 
> >       of regular expression support:
> > 
> > 
> > 
> >       - After configuring BIND features as desired using the configure
> > 
> >         script in the top level source directory, manually edit the
> > 
> >         "config.h" header file that was produced by the configure
> > 
> >         script.
> > 
> > 
> > 
> >       - Locate the line that reads "#define HAVE_REGEX_H 1" and
> > 
> >         replace the contents of that line with "#undef
> > 
> >         HAVE_REGEX_H".
> > 
> > 
> > 
> >       - Run "make clean" to remove any previously compiled object
> > 
> >         files from the BIND 9 source directory, then proceed to
> > 
> >         make and install BIND normally.
> > 
> > 
> > 
> > Active exploits:
> > 
> > 
> > 
> >    No known active exploits.
> > 
> > 
> > 
> > Solution:
> > 
> > 
> > 
> >    Compile BIND 9 without regular expression support as described
> > 
> >    in the "Workarounds" section of this advisory or upgrade to the
> > 
> >    patched release most closely related to your current version of
> > 
> >    BIND. These can be downloaded fromhttp://www.isc.org/downloads/all.
> > 
> > 
> > 
> >    BIND 9 version 9.8.4-P2
> > 
> >    BIND 9 version 9.9.2-P2
> > 
> > 
> > 
> > Acknowledgements:
> > 
> > 
> > 
> >    ISC would like to thank Matthew Horsfall of Dyn, Inc. for
> > 
> >    discovering this bug and bringing it to our attention.
> > 
> > 
> > 
> > Document Revision History:
> > 
> > 
> > 
> >    1.0 Phase One - Advance Notification, 11 March 2013
> > 
> >    1.1 Phase Two & Three, 25 March 2013
> > 
> >    2.0 Notification to Public (Phase Four), 26 March 2013
> > 
> > 
> > 
> > Related Documents:
> > 
> > 
> > 
> >    Japanese Translation:https://kb.isc.org/article/AA-00881
> > 
> >    Spanish Translation:https://kb.isc.org/article/AA-00882
> > 
> >    German Translation:https://kb.isc.org/article/AA-00883
> > 
> >    Portuguese Translation:https://kb.isc.org/article/AA-00884
> > 
> > 
> > 
> >    See our BIND Security Matrix for a complete listing of Security
> > 
> >    Vulnerabilities and versions affected.
> > 
> > 
> > 
> > If you'd like more information on our product support please visit
> > www.isc.org/support.
> > 
> > 
> > 
> > Do you still have questions?  Questions regarding this advisory
> > 
> > should go tosecurity-officer at isc.org
> > 
> > 
> > 
> > Note:
> > 
> > 
> > 
> >    ISC patches only currently supported versions. When possible we
> > 
> >    indicate EOL versions affected.
> > 
> > 
> > 
> > ISC Security Vulnerability Disclosure Policy:  Details of our current
> > 
> > security advisory policy and practice can be found here:
> > 
> > https://www.isc.org/security-vulnerability-disclosure-policy
> > 
> > 
> > 
> > This Knowledge Base articlehttps://kb.isc.org/article/AA-00871  is
> > 
> > the complete and official security advisory document.
> > 
> > 
> > 
> > Legal Disclaimer:
> > 
> > 
> > 
> >    Internet Systems Consortium (ISC) is providing this notice on
> > 
> >    an "AS IS" basis. No warranty or guarantee of any kind is expressed
> > 
> >    in this notice and none should be implied. ISC expressly excludes
> > 
> >    and disclaims any warranties regarding this notice or materials
> > 
> >    referred to in this notice, including, without limitation, any
> > 
> >    implied warranty of merchantability, fitness for a particular
> > 
> >    purpose, absence of hidden defects, or of non-infringement. Your
> > 
> >    use or reliance on this notice or materials referred to in this
> > 
> >    notice is at your own risk. ISC may change this notice at any
> > 
> >    time.  A stand-alone copy or paraphrase of the text of this
> > 
> >    document that omits the document URL is an uncontrolled copy.
> > 
> >    Uncontrolled copies may lack important information, be out of
> > 
> >    date, or contain factual errors.
> > 
> > 
> > 
> > (c) 2001-2013 Internet Systems Consortium
> > 
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> > 
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> -- 
> Adam Tkac, Red Hat, Inc.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list