The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of ISC Bind: denial of service via DNSCEC validation

Synthesis of the vulnerability

An attacker can force an assertion error in the DNSSEC validation of ISC Bind, in order to trigger a denial of service.
Severity of this computer vulnerability: 4/4.
Creation date: 08/07/2015.
Références of this announce: BSA-2015-009, c04745746, CVE-2015-4620, DSA-2019-197, DSA-3304-1, FEDORA-2015-11483, FEDORA-2015-11484, FreeBSD-SA-15:11.bind, HPSBUX03379, openSUSE-SU-2015:1250-1, openSUSE-SU-2015:1250-2, openSUSE-SU-2015:1326-1, RHSA-2015:1443-01, RHSA-2015:1471-01, SOL16912, SSA:2015-188-04, SSRT101976, SUSE-SU-2015:1205-1, USN-2669-1, VIGILANCE-VUL-17320.

Description of the vulnerability

The ISC Bind server can validate DNSSEC signed responses.

However, when a named server is configured to validate DNSSEC signatures with recursive name resolution, an assertion error occurs in the source file "name.c" for a combination of rare but likely valid record data, because developers did not expect this case. This exception stops the server process.

An attacker can therefore force an assertion error in the DNSSEC validation of ISC Bind, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness alert impacts software or systems such as DCFM Enterprise, Brocade Network Advisor, Brocade vTM, Debian, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, BIND, openSUSE, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this computer vulnerability note is critical.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this security bulletin.

Solutions for this threat

ISC Bind: version 9.10.2-P2.
The version 9.10.2-P2 is fixed:
  https://kb.isc.org/article/AA-01269

ISC Bind: version 9.9.7-P1.
The version 9.9.7-P1 is fixed:
  https://kb.isc.org/article/AA-01270

Brocade: fixed versions for Java, OpenSSL, OpenSSH, BIND.
Fixed versions are indicated in information sources.

Debian: new bind9 packages.
New packages are available:
  Debian 8: bind9 1:9.9.5.dfsg-9+deb8u1
  Debian 7: bind9 1:9.8.4.dfsg.P1-6+nmu2+deb7u5

Dell EMC VNXe: version MR4 Service Pack 5.
The version MR4 Service Pack 5 is fixed:
  https://www.dell.com/support/

F5 BIG-IP: fixed versions for Bind.
Fixed versions are indicated in information sources.

Fedora: new bind packages.
New packages are available:
  Fedora 21: bind 9.9.6-9.P1.fc21
  Fedora 22: bind 9.10.2-3.P2.fc22

FreeBSD: patch for bind.
Patches are available:
  FreeBSD 9.3: https://security.FreeBSD.org/patches/SA-15:11/bind-9.patch
  FreeBSD 8.4: https://security.FreeBSD.org/patches/SA-15:11/bind-8.patch
Corresponding binary packages are also available.

HP-UX: fixed versions for BIND.
Fixed versions are indicated in information sources.

openSUSE 11.4: new bind packages.
New packages are available:
  openSUSE 11.4: bind 9.9.4P2-66.1

openSUSE: new bind packages.
New packages are available:
  openSUSE 13.1: bind 9.9.4P2-2.11.1
  openSUSE 13.2: bind 9.9.6P1-2.4.1

RHEL 6.7: new bind packages.
New packages are available:
  RHEL 6: bind 9.8.2-0.37.rc1.el6_7.1

RHEL 7.1: new bind packages.
New packages are available:
  RHEL 7: bind 9.9.4-18.el7_1.2

slackware: new bind packages.
New packages are available:
  Slackware 13.0: bind 9.9.7_P1-*-1_slack13.0
  Slackware 13.1: bind 9.9.7_P1-*-1_slack13.1
  Slackware 13.37: bind 9.9.7_P1-*-1_slack13.37
  Slackware 14.0: bind 9.9.7_P1-*-1_slack14.0
  Slackware 14.1: bind 9.9.7_P1-*-1_slack14.1

SUSE LE 11: new bind packages.
New packages are available:
  SUSE LE 11: bind 9.9.6P1-0.7.1

Ubuntu: new bind9 packages.
New packages are available:
  Ubuntu 15.04: bind9 1:9.9.5.dfsg-9ubuntu0.1
  Ubuntu 14.10: bind9 1:9.9.5.dfsg-4.3ubuntu0.3
  Ubuntu 14.04 LTS: bind9 1:9.9.5.dfsg-3ubuntu0.3
  Ubuntu 12.04 LTS: bind9 1:9.8.1.dfsg.P1-4ubuntu0.11
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides an applications vulnerabilities watch. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.