CERT-MU AD-2009-11

Vulnerability in bind (9) causes denial of service via dynamic update request

Original issue date: 29 July, 2009

Overview

A vulnerability has been reported in Bind (9) which is used for Domain Name System (DNS) implementation. Bind supports dynamic DNS updates. BIND 9 can crash when processing a specially-crafted dynamic update packet. This vulnerability affects all Bind based DNS servers even without dynamic update feature.

Description

An attacker can send specially crafted update message DNS requests to a nameserver. These crafted message leads to Denial of Service condition.

When named (8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named (8) to exit.

To trigger the problem, the dynamic update message must contain a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) on the server.

Affected Systems

• All Bind based DNS servers

Impact

Severity Rating: High

Solution

• This vulnerability is addressed in ISC BIND versions 9.4.3-P3, 9.5.1-P3, and BIND 9.6.1-P1.
• Apply appropriate patches or fixes released by respective vendors at server and client level.

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Vendor Information

Internet Systems Consortium
https://www.isc.org/node/474

FreeBSD
http://security.freebsd.org/advisories/FreeBSD-SA-09:12.bind.asc

CVE Name

CVE-2009-0696

References

Internet Systems Consortium

https://www.isc.org/node/474