Vulnerability Note VU#718460

ISC BIND denial of service vulnerability

Original Release date: 03 May 2007 | Last revised: 03 Jul 2007

Overview

A vulnerability in the BIND name server could allow a remote attacker to cause a denial of service against an affected system.

Description

The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC).


BIND version 9.4.0 contains a vulnerability in the way that the query_addsoa() function is called. A remote attacker with the ability to send a specific sequence of queries to a vulnerable system can cause the nameserver to exit. Note that recursion must be enabled on the nameserver for this vulnerability to be exposed.

Impact

A remote attacker may be able to cause the name server daemon to exit prematurely, thereby causing a denial of service for DNS operations.

Solution

Upgrade

Users who compile their own copies of the affected version of BIND (9.4.0) from the original ISC source code are encouraged to upgrade to BIND version 9.4.1 (or later), which includes a patch for this issue.

Workarounds


Disable Recursion
Users, particularly those who are not able to upgrade, are encouraged to disable recursion ('recursion no;' set in named.conf) if it is not required by their configuration.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Internet Software ConsortiumAffected29 Apr 200702 May 2007
Mandriva, Inc.Affected02 May 200715 May 2007
NetBSDAffected02 May 200703 Jul 2007
Apple Computer, Inc.Not Affected02 May 200715 May 2007
Novell, Inc.Not Affected02 May 200709 May 2007
Openwall GNU/*/LinuxNot Affected02 May 200709 May 2007
Slackware Linux Inc.Not Affected02 May 200703 May 2007
Sun Microsystems, Inc.Not Affected02 May 200715 May 2007
UbuntuNot Affected02 May 200703 May 2007
BlueCat Networks, Inc.Unknown02 May 200702 May 2007
Check Point Software TechnologiesUnknown02 May 200702 May 2007
Conectiva Inc.Unknown02 May 200702 May 2007
Cray Inc.Unknown02 May 200702 May 2007
Debian GNU/LinuxUnknown02 May 200702 May 2007
EMC, Inc. (formerly Data General Corporation)Unknown02 May 200702 May 2007
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Mark Andrews of the Internet Systems Consortium (ISC) for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

  • CVE IDs: CVE-2007-2241
  • Date Public: 01 May 2007
  • Date First Published: 03 May 2007
  • Date Last Updated: 03 Jul 2007
  • Severity Metric: 6.90
  • Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.