-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:12.bind Security Advisory The FreeBSD Project Topic: BIND named(8) dynamic update message remote DoS Category: contrib Module: bind Announced: 2009-07-29 Credits: Matthias Urlichs Affects: All supported versions of FreeBSD Corrected: 2009-07-28 23:59:22 UTC (RELENG_7, 7.2-STABLE) 2009-07-29 00:14:14 UTC (RELENG_7_2, 7.2-RELEASE-p3) 2009-07-29 00:14:14 UTC (RELENG_7_1, 7.1-RELEASE-p7) 2009-07-29 00:13:47 UTC (RELENG_6, 6.4-STABLE) 2009-07-29 00:14:14 UTC (RELENG_6_4, 6.4-RELEASE-p6) 2009-07-29 00:14:14 UTC (RELENG_6_3, 6.3-RELEASE-p12) CVE Name: CVE-2009-0696 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. NOTE: Due to this issue being accidentally disclosed early, updated binaries are yet not available via freebsd-update at the time this advisory is being published. Email will be sent to the freebsd-security mailing list when the binaries are available via freebsd-update. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. Dynamic update messages may be used to update records in a master zone on a nameserver. II. Problem Description When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit. To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server. III. Impact An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation. IV. Workaround No generally applicable workaround is available, but some firewalls may be able to prevent nsupdate DNS packets from reaching the nameserver. NOTE WELL: Merely configuring named(8) to ignore dynamic updates is NOT sufficient to protect it from this vulnerability. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, and 7.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch # fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/bind # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install # /etc/rc.d/named restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/contrib/bind9/bin/named/update.c 1.1.1.2.2.5 RELENG_6_4 src/UPDATING 1.416.2.40.2.10 src/sys/conf/newvers.sh 1.69.2.18.2.12 src/contrib/bind9/bin/named/update.c 1.1.1.2.2.3.2.1 RELENG_6_3 src/UPDATING 1.416.2.37.2.17 src/sys/conf/newvers.sh 1.69.2.15.2.16 src/contrib/bind9/bin/named/update.c 1.1.1.2.2.2.2.1 RELENG_7 src/contrib/bind9/bin/named/update.c 1.1.1.5.2.3 RELENG_7_2 src/UPDATING 1.507.2.23.2.6 src/sys/conf/newvers.sh 1.72.2.11.2.7 src/contrib/bind9/bin/named/update.c 1.1.1.5.2.2.2.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.10 src/sys/conf/newvers.sh 1.72.2.9.2.11 src/contrib/bind9/bin/named/update.c 1.1.1.5.2.1.4.1 HEAD src/contrib/bind9/bin/named/update.c 1.4 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- head/ r195936 stable/6/ r195934 releng/6.4/ r195935 releng/6.3/ r195935 stable/7/ r195933 releng/7.2/ r195935 releng/7.1/ r195935 - ------------------------------------------------------------------------- VII. References https://www.isc.org/node/474 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-09:12.bind.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iD8DBQFKb5koFdaIBMps37IRAglLAKCFGXI+MAsksnK5TZB/8L3UFhPS1gCgl7q5 6fCpOeBcf7f83dVfKRDVF0I= =akJW -----END PGP SIGNATURE-----