The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of ISC BIND: denial of service via RDATA 65535

Synthesis of the vulnerability 

When the ISC BIND DNS server processes a record with a RDATA larger than 65535 bytes it stops.
Impacted software: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, BIND, Mandriva Linux, McAfee Email and Web Security, McAfee Email Gateway, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity of this computer vulnerability: 2/4.
Creation date: 13/09/2012.
Références of this announce: AA-00778, BID-55522, c03526327, CERTA-2012-AVI-500, CERTA-2012-AVI-601, CERTA-2012-AVI-679, CERTA-2013-AVI-337, CVE-2012-4244, DSA-2547-1, ESX400-201305001, ESX400-201305402-SG, ESX400-201305404-SG, ESX410-201301001, ESX410-201301401-SG, ESX410-201301402-SG, ESX410-201301403-SG, ESX410-201301405-SG, FEDORA-2012-14030, FEDORA-2012-14106, FreeBSD-SA-12:06.bind, HPSBUX02823, KB76394, MDVSA-2012:152, MDVSA-2012:152-1, openSUSE-SU-2012:1192-1, openSUSE-SU-2013:0605-1, RHSA-2012:1266-01, RHSA-2012:1267-01, RHSA-2012:1268-01, RHSA-2012:1365-01, sol13974, sol14201, SSA:2012-257-01, SSRT100976, SUSE-SU-2012:1199-1, SUSE-SU-2012:1333-1, VIGILANCE-VUL-11938, VMSA-2013-0001, VMSA-2013-0001.5, VMSA-2013-0003, VMSA-2013-0004.3, VMSA-2013-0007.

Description of the vulnerability 

The DNS protocol uses records containing a name, a type, a class, and data stored in a RDATA. For example (textual representation):
  www.example.com A IN "192.168.1.1"

The source code of ISC BIND checks if the size of a RDATA is larger than 65535 octets. The REQUIRE() macro stops the daemon if this size is exceeded.

However, ISC BIND accepts RDATA larger than 65535 octets, and memorizes them, without detecting them. Then, when they are used, the REQUIRE() macro stops the daemon.

In order to exploit this attack:
 - on a recursive DNS server, the attacker has to own an authoritative DNS server, and to invite the user to query this zone through the recursive DNS server
 - on a primary authoritative DNS server, the attacker has to force it to load a malicious zone file
 - on a slave authoritative DNS server, the attacker has to put data on the primary server, and to wait for a zone transfer
The two last attack vectors require that the attacker already has elevated privileges on victim's systems

When the ISC BIND DNS server processes a record with a RDATA larger than 65535 bytes it therefore stops.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness impacts software or systems such as Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, BIND, Mandriva Linux, McAfee Email and Web Security, McAfee Email Gateway, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, ESX.

Our Vigil@nce team determined that the severity of this vulnerability note is medium.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this cybersecurity threat.

Solutions for this threat 

ISC BIND: version 9.9.1-P3.
The version 9.9.1-P3 is corrected:
  http://www.isc.org/downloads/all

ISC BIND: version 9.8.3-P3.
The version 9.8.3-P3 is corrected:
  http://www.isc.org/downloads/all

ISC BIND: version 9.7.6-P3.
The version 9.7.6-P3 is corrected:
  http://www.isc.org/downloads/all

ISC BIND: version 9.6-ESV-R7-P3.
The version 9.6-ESV-R7-P3 is corrected:
  http://www.isc.org/downloads/all

Debian: new bind9 packages.
New packages are available:
  bind9 1:9.7.3.dfsg-1~squeeze7

F5 BIG-IP: version 11.2.1 HF1.
The version 11.2.1 HF1 is corrected:
  https://downloads.f5.com/esd/index.jsp

F5: corrected versions for BIND.
Fixed versions are indicated in the F5 announce.

Fedora: new bind packages.
New packages are available:
  bind-9.8.3-4.P3.fc16
  bind-9.9.1-9.P3.fc17

FreeBSD: patch for Bind.
A patch is available:
  http://security.freebsd.org/patches/SA-12:06/bind.patch

HP-UX: versions for BIND (24/10/2012).
The following versions are corrected (https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=BIND) :
BIND 9.7.3 :
  HP-UX_11.31_HPUX-NameServer_C.9.7.3.0.0_HP-UX_B.11.31_IA_PA.depot
BIND 9.3.2 :
  HP-UX_11.11_DNSUPGRADE_C.9.3.2.12.0_HP-UX_B.11.11_32_64.depot
  HP-UX_11.23_DNSUPGRADE_C.9.3.2.12.0_HP-UX_B.11.23_IA_PA.depot
  HP-UX_11.31_HPUX-NameServer_C.9.3.2.14.0_HP-UX_B.11.31_IA_PA.depot

Mandriva: new bind packages.
New packages are available:
  bind-9.8.3-0.0.P3.0.1-mdv2011.0
  bind-9.7.6-0.0.P3.0.1mdvmes5.2

McAfee Email and Web Security: solution for BIND.
The version 5.6 Patch 5 will be corrected.
The McAfee announce indicates workarounds.

McAfee Email Gateway: patch MEG70P3.
A patch is available:
  MEG70P3.EN_US (needs a confirmation)
  http://www.mcafee.com/us/downloads

openSUSE 12.1: new bind packages.
New packages are available:
  bind-9.8.4P2-4.32.1

RHEL 4: new bind packages.
New packages are available:
  bind-9.2.4-41.el4

RHEL: new bind packages.
New packages are available:
  bind-9.3.6-20.P1.el5_8.4
  bind97-9.7.0-10.P2.el5_8.3
  bind-9.8.2-0.10.rc1.el6_3.3

Slackware: new bind packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/bind-9.7.6_P3-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/bind-9.7.6_P3-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bind-9.7.6_P3-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bind-9.7.6_P3-x86_64-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bind-9.7.6_P3-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bind-9.7.6_P3-x86_64-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bind-9.7.6_P3-i486-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bind-9.7.6_P3-x86_64-1_slack13.37.txz

Solaris 11.1: patch 11.1.1.4.
A SRU is available:
  https://support.oracle.com/rs?type=doc&id=1507225.1

Solaris 11: version 11/11 SRU 12.4.
The version 11/11 SRU 12.4 is available:
  https://support.oracle.com/rs?type=doc&id=1497909.1

Solaris 9, 10: patch for BIND.
A patch is available:
Solaris 9 :
  SPARC : 112837-28
  x86 : 114265-27
Solaris 10 :
  SPARC : 119783-24
  x86 : 119784-24

SUSE: new bind packages.
New packages are available:
  openSUSE 11.4 : bind-9.7.6P3-0.37.1
  openSUSE 12.1 : bind-9.8.3P3-4.20.1
  openSUSE 12.2 : bind-9.9.1P3-1.4.1
  SUSE LE 10 SP3 : bind-9.3.4-1.40.1
  SUSE LE 10 SP4 : bind-9.6ESVR7P3-0.7.1
  SUSE LE 11 : bind-9.6ESVR7P3-0.9.1

VMware ESX 4.0: patch ESX400-201305001.
A patch is available:
  ESX400-201305001.zip
  https://kb.vmware.com/kb/2044240

VMware ESX 4.1: patch ESX410-201301001.
A patch is available:
  http://kb.vmware.com/kb/2041331
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a cybersecurity announce. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.