Knowledge Base ISC Main Website Ask a Question/Contact ISC
CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c
Author: Michael McNally Reference Number: AA-00544 Views: 31583 Created: 2011-11-16 20:44 Last Updated: 2012-06-08 11:42 0 Rating/ Voters

Organizations across the Internet reported crashes interrupting service on BIND 9 nameservers performing recursive queries. Affected servers crashed after logging an error in query.c with the following message: "INSIST(! dns_rdataset_isassociated(sigrdataset))" Multiple versions were reported being affected, including all currently supported release versions of ISC BIND 9. ISC is actively investigating the root cause and has produced patches which prevent the crash. Further information will be made available soon.
Document Version:          
2.0.1
Posting date: 
16 Nov 2011
Program Impacted: 
BIND
Versions affected: 
BIND 9.0.x -> 9.6.x , 9.4-ESV->9.4-ESV-R5, 9.6-ESV->9.6-ESV-R5, 9.7.0->9.7.4, 9.8.0->9.8.1, 9.9.0a1->9.9.0b1
Severity: 
Serious
Exploitable: 
Remotely
Description: 

An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached.At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit. 

The patch has two components. When a client query is handled, the code which processes the response to the client has to ask the cache for the records for the name that is being queried. The first component of the patch prevents the cache from returning the inconsistent data. The second component prevents named from crashing if it detects that it has been given an inconsistent answer of this nature.

Update as of 5 December: 
Having completed our analysis of the data submitted by those who experienced the crash, ISC has identified how and why this event occurred.


We have confirmed that it was triggered by an accidental operational error that exposed a previously unknown bug in BIND, causing an internal inconsistency which is effectively prevented by the mitigation patches we have produced and distributed.


While the original trigger for this incident no longer exists, it is very possible that the same set of circumstances could be made to recur deliberately rather than accidentally. Therefore, ISC strongly recommends that those running vulnerable servers continue to update to a patched release of BIND.
 

Translations of original CVE:
Spanish translation of the original advisory https://www.isc.org/advisorycve20114313ES

Japanese translation of the original advisory https://www.isc.org/advisorycve20114313JP

http://jprs.jp/tech/security/2011-11-17-bind9-vuln-crash-after-logging-an-error.html

German translation of the original advisory http://cert.uni-stuttgart.de/ticker/article.php?mid=1686

Chinese translation of the original advisory https://www.isc.org/advisorycve20114313CN

Portuguese translation of the original advisory https://www.isc.org/advisorycve20114313PT

 

CVSS Score: 7.8

CVSS Equation:
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

 

Workarounds: 

The best solution is to upgrade. Upgrade BIND to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.4-ESV-R5-P1

5 December Update: For customers who are unable to migrate immediately to a patched version of BIND, there is now a mitigation strategy available.  ISC continues to strongly recommend installing a patched version as the safest course of action, but if circumstances prevent you from doing so you can still reduce or eliminate your exposure to the CVE-2011-4313 vulnerability with a configuration option addition to named.conf.

Please see this Supplemental page in our KnowledgeBase for full details of this workaround and other operational considerations.

 

Active exploits: 
None known

ISC is receiving multiple reports and working with multiple customers on this issue. Please E-mail all questions, packet captures, and details tosecurity-officer@isc.org 

We very much appreciate all reports received on this issue.

Document Revision History

1.0    16 November 2011 - Interim Advisory

1.1    16 November 2011 - Mitigation patches, further information 

1.2    16 November 2011 - Added Spanish and Japanese translations & CVSS info

1.2.1 17 November 2011 - Added German and Chinese translations, updated versions affected, and related documents

1.3    18 November 2011 - Added all BIND 9 Versions as vulnerable & Portuguese translation

1.3.1 21 November 2011 - Added O/S vendor specific patch links and updated versions affected to include all 9.6.x versions and 9.9.0Alpha & Beta, corrected Doc version #

1.3.2  24 November 2011 - Removed FreeBSD link for patch

2.0     5 December 2011 - Added additional description about verifying the cause of this issue, and add workaround

2.0.1  29 December 2011 - Added FreeBSD link for patch

Related Document: 

Do you have Questions? Questions regarding this advisory should go to security-officer@isc.org.

ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here:https://www.isc.org/security-vulnerability-disclosure-policy

This security advisory is a copy of the official document located on our website: https://www.isc.org/software/bind/advisories/cve-2011-4313
A supplemental document is also available with additional details on the workaround and other Operational considerations.https://deepthought.isc.org/article/AA-00549.

See our BIND Security Matrix for a complete listing of Security Vulnerabilites and versions affected.
Note: ISC patches only Currently supported versions. When possible we indicate EOL versions affected.

O/S vendor specific patches can be found here:

Debian http://article.gmane.org/gmane.linux.debian.security.announce/2454
Ubuntu https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-November/001482.html
RedHat https://rhn.redhat.com/errata/RHSA-2011-1458.html 
FreeBSD http://security.freebsd.org/advisories/FreeBSD-SA-11:06.bind.asc

 

© 2001-2014 Internet Systems Consortium

Feedback
  • Please help us to improve the content of our knowledge base by letting us know how we can improve this article or by submitting suggestions for other articles you'd like to see created. Information on how to obtain further help on our products or services can be found on our main website.' If you have a technical question or problem on which you'd like help, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.
Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu