The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of ISC BIND: infinite loop via lwresd

Synthesis of the vulnerability 

An attacker can generate an infinite loop via lwresd of ISC BIND, in order to trigger a denial of service.
Vulnerable systems: Debian, VNX Operating Environment, VNX Series, Fedora, HP-UX, AIX, BIND, openSUSE Leap, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, VxWorks.
Severity of this threat: 2/4.
Creation date: 19/07/2016.
Références of this weakness: AA-01393, bulletinjul2016, c05321107, CVE-2016-2775, DLA-645-1, DSA-2019-131, DSA-2019-197, FEDORA-2016-007efacd1c, FEDORA-2016-2941b3264e, FEDORA-2016-3fba74e7f5, FEDORA-2016-53f0c65f40, openSUSE-SU-2017:1063-1, RHSA-2017:2533-01, SSA:2016-204-01, SUSE-SU-2017:0998-1, SUSE-SU-2017:0999-1, SUSE-SU-2017:1027-1, VIGILANCE-VUL-20144.

Description of the vulnerability 

The ISC BIND product implements the "lightweight resolver protocol" in the lwresd daemon, or in named when named.conf contains the "lwres" section.

However, if getrrsetbyname() is called to resolve a long relative name (combined with a search list entry), an infinite recursion occurs in lwresd/lwres.

An attacker can therefore generate an infinite loop via lwresd of ISC BIND, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security bulletin impacts software or systems such as Debian, VNX Operating Environment, VNX Series, Fedora, HP-UX, AIX, BIND, openSUSE Leap, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, VxWorks.

Our Vigil@nce team determined that the severity of this cybersecurity announce is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this vulnerability alert.

Solutions for this threat 

ISC BIND: version 9.10.4-P2.
The version 9.10.4-P2 is fixed:
  http://www.isc.org/downloads/

ISC BIND: version 9.9.9-P2.
The version 9.9.9-P2 is fixed:
  http://www.isc.org/downloads/

AIX: patch for BIND.
A patch is available:
  https://aix.software.ibm.com/aix/efixes/security/bind_fix13.tar

Debian 7: new bind9 packages.
New packages are available:
  Debian 7: bind9 1:9.8.4.dfsg.P1-6+nmu2+deb7u11

Dell EMC VNXe3200: version 3.1.10.9946299.
The version 3.1.10.9946299 is fixed:
  https://www.dell.com/

Dell EMC VNXe: version MR4 Service Pack 5.
The version MR4 Service Pack 5 is fixed:
  https://www.dell.com/support/

Fedora 23: new dhcp packages.
New packages are available:
  Fedora 23: dhcp 4.3.3-10.P1.fc23

Fedora: new bind99 packages.
New packages are available:
  Fedora 23: bind99 9.9.9-1.P2.fc23
  Fedora 24: bind99 9.9.9-1.P2.fc24

Fedora: new bind packages.
New packages are available:
  Fedora 23: bind 9.10.4-1.P2.fc23
  Fedora 24: bind 9.10.4-1.P2.fc24

HP-UX: BIND version 9.9.4.
BIND version 9.9.4 is fixed:
  https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=BIND

openSUSE Leap: new bind packages.
New packages are available:
  openSUSE Leap 42.1: bind 9.9.9P1-51.1
  openSUSE Leap 42.2: bind 9.9.9P1-48.3.1

RHEL 7.3: new bind packages.
New packages are available:
  RHEL 7: bind 9.9.4-50.el7_3.2

Slackware: new bind packages.
New packages are available:
  Slackware 13.0: bind 9.9.9_P2-*-1_slack13.0
  Slackware 13.1: bind 9.9.9_P2-*-1_slack13.1
  Slackware 13.37: bind 9.9.9_P2-*-1_slack13.37
  Slackware 14.0: bind 9.9.9_P2-*-1_slack14.0
  Slackware 14.1: bind 9.9.9_P2-*-1_slack14.1
  Slackware 14.2: bind 9.10.4_P2-*-1_slack14.2

Solaris: patch for third party software of July 2016 v4.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

SUSE LE: new bind packages.
New packages are available:
  SUSE LE 11 SP3: bind 9.9.6P1-0.47.1
  SUSE LE 11 SP4: bind 9.9.6P1-0.47.1
  SUSE LE 12 RTM: bind 9.9.9P1-28.34.1
  SUSE LE 12 SP1: bind 9.9.9P1-59.1

Wind River VxWorks: solution for DNS/DHCP.
The solution is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computer security patches. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.