Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 279579

Summary: net-dns/bind-9.*: BIND Dynamic Update DoS
Product: Gentoo Security Reporter: Daniel Solano Gómez <gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: critical    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.isc.org/node/474
Whiteboard:
Package list:
Runtime testing required: ---

Description Daniel Solano Gómez 2009-07-29 13:00:35 UTC 
From the ISC site:
------------------

Description:

Urgent: this exploit is public. Please upgrade immediately.

Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert.

This vulnerability affects all servers that are masters for one or more zones – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround.

dns_db_findrdataset() fails when the prerequisite section of the dynamic update message contains a record of type “ANY” and where at least one RRset for this FQDN exists on the server.

db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
exiting (due to assertion failure).


Workarounds: None. 


Active exploits: An active remote exploit is in wide circulation at this time.
Solution:

Upgrade BIND to one of 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1.
Comment 1 Jaco van der Schyff 2009-07-29 13:08:56 UTC 
Dupe of #279508
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-29 13:12:43 UTC 

*** This bug has been marked as a duplicate of bug 279508 ***