CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c
| Author: Michael McNally Reference Number: AA-00544 Views: 36649 Created: 2011-11-16 20:44 Last Updated: 2012-06-08 11:42
0 Rating/ Voters
Organizations across the Internet reported crashes interrupting service on BIND
9 nameservers performing recursive queries. Affected servers crashed after logging an error in query.c with the following message: "INSIST(! dns_rdataset_isassociated(sigrdataset))" Multiple versions were reported being affected, including all currently supported release versions of ISC BIND
9. ISC is actively investigating the root cause and has produced patches which prevent the crash. Further information will be made available soon.
Posting date: 16 Nov 2011
Versions affected: BIND
9.0.x -> 9.6.x , 9.4-ESV->9.4-ESV-R5, 9.6-ESV->9.6-ESV-R5, 9.7.0->9.7.4, 9.8.0->9.8.1, 9.9.0a1->9.9.0b1
An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached.At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.
The patch has two components. When a client query is handled, the code which processes the response to the client has to ask the cache for the records for the name that is being queried. The first component of the patch prevents the cache from returning the inconsistent data. The second component prevents named from crashing if it detects that it has been given an inconsistent answer of this nature.
Update as of 5 December:
Having completed our analysis of the data submitted by those who experienced the crash, ISC has identified how and why this event occurred.
We have confirmed that it was triggered by an accidental operational error that exposed a previously unknown bug in BIND, causing an internal inconsistency which is effectively prevented by the mitigation patches we have produced and distributed.
While the original trigger for this incident no longer exists, it is very possible that the same set of circumstances could be made to recur deliberately rather than accidentally. Therefore, ISC strongly recommends that those running vulnerable servers continue to update to a patched release of BIND.
Translations of original CVE:
Spanish translation of the original advisory https://www.isc.org/advisorycve20114313ES
Japanese translation of the original advisory https://www.isc.org/advisorycve20114313JP
German translation of the original advisory http://cert.uni-stuttgart.de/ticker/article.php?mid=1686
Chinese translation of the original advisory https://www.isc.org/advisorycve20114313CN
Portuguese translation of the original advisory https://www.isc.org/advisorycve20114313PT
CVSS Score: 7.8
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)
The best solution is to upgrade. Upgrade BIND to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.4-ESV-R5-P1
5 December Update: For customers who are unable to migrate immediately to a patched version of BIND, there is now a mitigation strategy available. ISC continues to strongly recommend installing a patched version as the safest course of action, but if circumstances prevent you from doing so you can still reduce or eliminate your exposure to the CVE-2011-4313 vulnerability with a configuration option addition to named.conf.
Please see this Supplemental page in our KnowledgeBase for full details of this workaround and other operational considerations.
ISC is receiving multiple reports and working with multiple customers on this issue. Please E-mail all questions, packet captures, and details firstname.lastname@example.org
We very much appreciate all reports received on this issue.
Document Revision History
1.0 16 November 2011 - Interim Advisory
1.1 16 November 2011 - Mitigation patches, further information
1.2 16 November 2011 - Added Spanish and Japanese translations & CVSS info
1.2.1 17 November 2011 - Added German and Chinese translations, updated versions affected, and related documents
1.3 18 November 2011 - Added all BIND 9 Versions as vulnerable & Portuguese translation
1.3.1 21 November 2011 - Added O/S vendor specific patch links and updated versions affected to include all 9.6.x versions and 9.9.0Alpha & Beta, corrected Doc version #
1.3.2 24 November 2011 - Removed FreeBSD link for patch
2.0 5 December 2011 - Added additional description about verifying the cause of this issue, and add workaround
2.0.1 29 December 2011 - Added FreeBSD link for patch
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.
A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.
© 2001-2015 Internet Systems ConsortiumPlease help us to improve the content of our knowledge base by letting us know below how we can improve this article. If you have a technical question or problem on which you'd like help, please don't submit it here as article feedback. For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.