Vigil@nce: BIND 9, denial of service via recursion
December 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a malicious query on a recursive BIND DNS
server, with an invalid value in its cache, in order to stop it.
– Severity: 2/4
– Creation date: 16/11/2011
– Revision date: 17/11/2011
IMPACTED PRODUCTS
– Debian Linux
– Fedora
– IBM AIX
– ISC BIND
– Mandriva Enterprise Server
– Mandriva Linux
– Novell Linux Desktop
– OpenSolaris
– OpenSUSE
– Oracle Solaris
– Oracle Trusted Solaris
– Red Hat Enterprise Linux
– SUSE Linux Enterprise Server
DESCRIPTION OF THE VULNERABILITY
The BIND DNS server can be configured in recursive mode, in order
to resolve external addresses requested by internal clients.
Replies of external DNS servers are kept in a cache, and this
cache is later searched to answer future queries.
The DNSSEC protocol is used to authenticate data of DNS zones. The
NSEC and NSEC3 records are used to indicate that a name does not
exist (NXDOMAIN, Non-Existent Domain, NX). These records thus have
no data (rdata) associated.
An attacker can, using an unknown method, force the cache of a
recursive DNS server to contain a NX record with rdata. Then when
the client requests this record, the query_addadditional2()
function of the query.c file calls the macro
INSIST(!dns_rdataset_isassociated(sigrdataset)), because a rdata
is associated to a NC record. The INSIST macro stops the daemon.
In order to exploit this vulnerability, the attacker can be on the
internal network, and can request an invalid resolution. He can
also create an HTML document containing images located on a server
with a malicious name, and can then invite the victim to display
this HTML page. He can also send an email from an malicious server
name, which will be resolved by the messaging server.
An attacker can therefore use a malicious query on a recursive
BIND DNS server, with an invalid value in its cache, in order to
stop it.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/BIND-9-denial-of-service-via-recursion-11162