ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
Mark Andrews
marka at isc.org
Tue Mar 26 20:58:27 UTC 2013
In message <20130326163235.GA31738 at redhat.com>, Adam Tkac writes:
> Hello,
>
> if I understand correctly, this isn't issue in BIND itself but it is some memory
> leak in underlying regexp library (glibc in Linux case). Can you please clarify
> which exact flaw in glibc (or other regex implementation) makes BIND vulnerable
> to remote DoS? Is it already reported to regex library developers? Was it
> already fixed (and how)?
>
> I'm asking because from distribution point of view it's better to address this
> flaw directly in regex implementation which will automatically make BIND
> invulnerable.
>
> Thank you in advance for response.
>
> Regards, Adam
While I understand your issues bind-users isn't the forum to answer them.
Mark
> On Tue, Mar 26, 2013 at 12:01:50PM -0400, ISC Support Staff wrote:
> > A critical defect in BIND 9 allows an attacker to cause excessive
> >
> > memory consumption in named or other programs linked to libdns.
> >
> >
> >
> > CVE: CVE-2013-2266
> >
> > Document Version: 2.0
> >
> > Posting date: 26 March 2013
> >
> > Program Impacted: BIND
> >
> > Versions affected: "Unix" versions of BIND 9.7.x, 9.8.0 -> 9.8.5b1,
> >
> > 9.9.0 -> 9.9.3b1. (Windows versions are not
> > affected.
> >
> > Versions of BIND 9 prior to BIND 9.7.0 (including
> >
> > BIND 9.6-ESV) are not affected. BIND 10 is
> >
> > not affected.)
> >
> > Severity: Critical
> >
> > Exploitable: Remotely
> >
> > Description:
> >
> >
> >
> > A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled
> >
> > on Unix and related operating systems, allows an attacker to
> >
> > deliberately cause excessive memory consumption by the named
> >
> > process, potentially resulting in exhaustion of memory resources
> >
> > on the affected server. This condition can crash BIND 9 and
> >
> > will likely severely affect operation of other programs running
> >
> > on the same machine.
> >
> >
> >
> > Please Note: Versions of BIND 9.7 are beyond their "end of life"
> >
> > (EOL) and no longer receive testing or security fixes from ISC.
> >
> > However, the re-compilation method described in the "Workarounds"
> >
> > section of this document will prevent exploitation in BIND 9.7
> >
> > as well as in currently supported versions.
> >
> >
> >
> > For current information on which versions are actively supported,
> >
> > please seehttp://www.isc.org/software/bind/versions.
> >
> >
> >
> > Additional information is available in the CVE-2013-2266 FAQ and
> >
> > Supplemental Information article in the ISC Knowledge base,
> >
> > https://kb.isc.org/article/AA-00879.
> >
> >
> >
> > Impact:
> >
> >
> >
> > Intentional exploitation of this condition can cause denial of
> >
> > service in all authoritative and recursive nameservers running
> >
> > affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0
> >
> > through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1
> >
> > (inclusive)]. Additionally, other services which run on the
> >
> > same physical machine as an affected BIND server could be
> >
> > compromised as well through exhaustion of system memory.
> >
> >
> >
> > Programs using the libdns library from affected versions of BIND
> >
> > are also potentially vulnerable to exploitation of this bug if
> >
> > they can be forced to accept input which triggers the condition.
> >
> > Tools which are linked against libdns (e.g. dig) should also be
> >
> > rebuilt or upgraded, even if named is not being used.
> >
> >
> >
> > CVSS Score: 7.8
> >
> >
> >
> > CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
> >
> >
> >
> > For more information on the Common Vulnerability Scoring System
> >
> > and to obtain your specific environmental score please visit:
> >
> >
> >
> > http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)
> >
> >
> >
> > Workarounds:
> >
> >
> >
> > Patched versions are available (see the "Solutions:" section
> >
> > below) or operators can prevent exploitation of this bug in any
> >
> > affected version of BIND 9 by compiling without regular expression
> >
> > support.
> >
> >
> >
> > Compilation without regular expression support:
> >
> >
> >
> > BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1),
> >
> > and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely
> >
> > safe from this bug by re-compiling the source with regular
> >
> > expression support disabled. In order to disable inclusion
> >
> > of regular expression support:
> >
> >
> >
> > - After configuring BIND features as desired using the configure
> >
> > script in the top level source directory, manually edit the
> >
> > "config.h" header file that was produced by the configure
> >
> > script.
> >
> >
> >
> > - Locate the line that reads "#define HAVE_REGEX_H 1" and
> >
> > replace the contents of that line with "#undef
> >
> > HAVE_REGEX_H".
> >
> >
> >
> > - Run "make clean" to remove any previously compiled object
> >
> > files from the BIND 9 source directory, then proceed to
> >
> > make and install BIND normally.
> >
> >
> >
> > Active exploits:
> >
> >
> >
> > No known active exploits.
> >
> >
> >
> > Solution:
> >
> >
> >
> > Compile BIND 9 without regular expression support as described
> >
> > in the "Workarounds" section of this advisory or upgrade to the
> >
> > patched release most closely related to your current version of
> >
> > BIND. These can be downloaded fromhttp://www.isc.org/downloads/all.
> >
> >
> >
> > BIND 9 version 9.8.4-P2
> >
> > BIND 9 version 9.9.2-P2
> >
> >
> >
> > Acknowledgements:
> >
> >
> >
> > ISC would like to thank Matthew Horsfall of Dyn, Inc. for
> >
> > discovering this bug and bringing it to our attention.
> >
> >
> >
> > Document Revision History:
> >
> >
> >
> > 1.0 Phase One - Advance Notification, 11 March 2013
> >
> > 1.1 Phase Two & Three, 25 March 2013
> >
> > 2.0 Notification to Public (Phase Four), 26 March 2013
> >
> >
> >
> > Related Documents:
> >
> >
> >
> > Japanese Translation:https://kb.isc.org/article/AA-00881
> >
> > Spanish Translation:https://kb.isc.org/article/AA-00882
> >
> > German Translation:https://kb.isc.org/article/AA-00883
> >
> > Portuguese Translation:https://kb.isc.org/article/AA-00884
> >
> >
> >
> > See our BIND Security Matrix for a complete listing of Security
> >
> > Vulnerabilities and versions affected.
> >
> >
> >
> > If you'd like more information on our product support please visit
> > www.isc.org/support.
> >
> >
> >
> > Do you still have questions? Questions regarding this advisory
> >
> > should go tosecurity-officer at isc.org
> >
> >
> >
> > Note:
> >
> >
> >
> > ISC patches only currently supported versions. When possible we
> >
> > indicate EOL versions affected.
> >
> >
> >
> > ISC Security Vulnerability Disclosure Policy: Details of our current
> >
> > security advisory policy and practice can be found here:
> >
> > https://www.isc.org/security-vulnerability-disclosure-policy
> >
> >
> >
> > This Knowledge Base articlehttps://kb.isc.org/article/AA-00871 is
> >
> > the complete and official security advisory document.
> >
> >
> >
> > Legal Disclaimer:
> >
> >
> >
> > Internet Systems Consortium (ISC) is providing this notice on
> >
> > an "AS IS" basis. No warranty or guarantee of any kind is expressed
> >
> > in this notice and none should be implied. ISC expressly excludes
> >
> > and disclaims any warranties regarding this notice or materials
> >
> > referred to in this notice, including, without limitation, any
> >
> > implied warranty of merchantability, fitness for a particular
> >
> > purpose, absence of hidden defects, or of non-infringement. Your
> >
> > use or reliance on this notice or materials referred to in this
> >
> > notice is at your own risk. ISC may change this notice at any
> >
> > time. A stand-alone copy or paraphrase of the text of this
> >
> > document that omits the document URL is an uncontrolled copy.
> >
> > Uncontrolled copies may lack important information, be out of
> >
> > date, or contain factual errors.
> >
> >
> >
> > (c) 2001-2013 Internet Systems Consortium
> >
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Adam Tkac, Red Hat, Inc.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list