BIND: Denial of Service — GLSA 200908-02

Dynamic Update packets can cause a Denial of Service in the BIND daemon.

Affected Packages

net-dns/bind on all architectures
Affected versions < 9.4.3_p3
Unaffected versions >= 9.4.3_p3

Background

ISC BIND is the Internet Systems Consortium implementation of the Domain Name System (DNS) protocol.

Description

Matthias Urlichs reported that the dns_db_findrdataset() function fails when the prerequisite section of the dynamic update message contains a record of type "ANY" and where at least one RRset for this FQDN exists on the server.

Impact

A remote unauthenticated attacker could send a specially crafted dynamic update message to the BIND daemon (named), leading to a Denial of Service (daemon crash). This vulnerability affects all primary (master) servers -- it is not limited to those that are configured to allow dynamic updates.

Workaround

Configure a firewall that performs Deep Packet Inspection to prevent nsupdate messages from reaching named. Alternatively, expose only secondary (slave) servers to untrusted networks.

Resolution

All BIND users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-dns/bind-9.4.3_p3"

References

Release Date
August 01, 2009

Latest Revision
August 01, 2009: 01

Severity
normal

Exploitable
remote

Bugzilla entries