FreeBSD Security Advisory FreeBSD-SA-05:12.bind9

From: FreeBSD Security Advisories (security-advisories_at_freebsd.org)
Date: 06/09/05

  • Next message: b0iler: "remote command execution in 'tattle'"
    Date: Thu, 9 Jun 2005 10:30:26 GMT
    To: Bugtraq <bugtraq@securityfocus.com>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    =============================================================================
    FreeBSD-SA-05:12.bind9 Security Advisory
                                                              The FreeBSD Project

    Topic: BIND 9 DNSSEC remote denial of service vulnerability

    Category: core
    Module: bind9
    Announced: 2005-06-09
    Credits: Internet Systems Consortium
    Affects: FreeBSD 5.3
    Corrected: 2005-03-23 18:16:29 UTC (RELENG_5, 5.3-STABLE)
                    2005-06-08 21:29:15 UTC (RELENG_5_3, 5.3-RELEASE-p16)
    CVE Name: CAN-2005-0034

    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the
    following sections, please visit
    <URL:http://www.freebsd.org/security/>.

    I. Background

    BIND 9 is an implementation of the Domain Name System (DNS) protocols.
    The named(8) daemon is the Internet domain name server. DNS Security
    Extensions (DNSSEC) are additional protocol options that add
    authentication and integrity to the DNS protocols.

    DNSSEC is not enabled by default in any FreeBSD release. A system
    administrator must take special action to enable DNSSEC.

    II. Problem Description

    A DNSSEC-related validator function in BIND 9.3.0 contains an
    inappropriate internal consistency test. When this test is triggered,
    named(8) will exit.

    III. Impact

    On systems with DNSSEC enabled, a remote attacker may be able to inject
    a specially crafted packet that will cause the internal consistency test
    to trigger, and named(8) to terminate. As a result, the name server
    will no longer be available to service requests.

    IV. Workaround

    DNSSEC is not enabled by default, and the "dnssec-enable" directive is
    not normally present. If DNSSEC has been enabled, disable it by
    changing the "dnssec-enable" directive to "dnssec-enable no;" in the
    named.conf(5) configuration file.

    V. Solution

    Perform one of the following:

    1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_3
    security branch dated after the correction date.

    2) To patch your present system:

    The following patches have been verified to apply to FreeBSD 5.3
    systems.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:12/bind9.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:12/bind9.patch.asc

    b) Execute the following commands as root:

    # cd /usr/src/
    # patch < /path/to/patch
    # cd /usr/src/lib/bind
    # make obj && make depend && make && make install
    # cd /usr/src/usr.sbin/named
    # make obj && make depend && make && make install

    VI. Correction details

    The following list contains the revision numbers of each file that was
    corrected in FreeBSD.

    Branch Revision
      Path
    - -------------------------------------------------------------------------
    RELENG_5
      src/contrib/bind9/lib/dns/validator.c 1.1.1.1.2.2
    RELENG_5_3
      src/UPDATING 1.342.2.13.2.19
      src/sys/conf/newvers.sh 1.62.2.15.2.21
      src/contrib/bind9/lib/dns/validator.c 1.1.1.1.2.1.2.1
    - -------------------------------------------------------------------------

    VII. References

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0034
    http://www.kb.cert.org/vuls/id/938617
    http://www.isc.org/index.pl?/sw/bind/bind-security.php
    http://www.isc.org/index.pl?/sw/bind/bind9.php

    The latest revision of this advisory is available at
    ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:12.bind9.asc
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (FreeBSD)

    iD8DBQFCqBbfFdaIBMps37IRAiphAKCG8CX6eNFMNQYhahAER4gFVFc54wCfRZye
    2C6LIcrq47xn5SRRV3T9ZL4=
    =gFcD
    -----END PGP SIGNATURE-----


  • Next message: b0iler: "remote command execution in 'tattle'"

    Relevant Pages