Vulnerability Note VU#725188
ISC BIND 9 vulnerable to denial of service via dynamic update request
Overview
ISC BIND 9 contains a vulnerability that may allow a remote, unauthenticated attacker to create a denial-of-service condition.
Description
The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). It includes support for dynamic DNS updates as specified in IETF RFC 2136. BIND 9 can crash when processing a specially-crafted dynamic update packet. ISC notes that this vulnerability affects all servers that are masters for one or more zones and is not limited to those that are configured to allow dynamic updates. ISC also indicates that the attack packet has to be constructed for a zone for which the target system is configured as a master; launching the attack against slave zones does not trigger the vulnerability. |
Impact
By sending a specially-crafted dynamic update packet to a BIND 9 server, a remote, unauthenticated attacker can cause a denial of service by causing BIND to crash. |
Solution
Apply an update |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Apple Inc. | Affected | 28 Jul 2009 | 17 Aug 2009 |
| BlueCat Networks, Inc. | Affected | 28 Jul 2009 | 30 Jul 2009 |
| Debian GNU/Linux | Affected | 28 Jul 2009 | 03 Aug 2009 |
| F5 Networks, Inc. | Affected | 28 Jul 2009 | 31 Jul 2009 |
| FreeBSD, Inc. | Affected | 28 Jul 2009 | 30 Jul 2009 |
| Hewlett-Packard Company | Affected | 28 Jul 2009 | 26 Aug 2009 |
| Infoblox | Affected | 28 Jul 2009 | 30 Jul 2009 |
| Internet Systems Consortium | Affected | 28 Jul 2009 | 28 Jul 2009 |
| Nixu | Affected | 28 Jul 2009 | 30 Jul 2009 |
| OpenBSD | Affected | 28 Jul 2009 | 30 Jul 2009 |
| Red Hat, Inc. | Affected | 28 Jul 2009 | 30 Jul 2009 |
| Sun Microsystems, Inc. | Affected | 28 Jul 2009 | 30 Jul 2009 |
| SUSE Linux | Affected | 28 Jul 2009 | 31 Jul 2009 |
| Ubuntu | Affected | 28 Jul 2009 | 29 Jul 2009 |
| Nominum | Not Affected | 28 Jul 2009 | 30 Jul 2009 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- https://www.isc.org/node/474
- http://tools.ietf.org/html/rfc2136
- http://oldwww.isc.org/sw/bind/view?release=9.4.3-P3&noframes=1
- http://oldwww.isc.org/sw/bind/view?release=9.5.1-P3&noframes=1
- http://oldwww.isc.org/sw/bind/view?release=9.6.1-P1&noframes=1
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538975
Credit
Thanks to ISC for reporting this vulnerability.
This document was written by Will Dormann and Chad Dougherty.
Other Information
- CVE IDs: CVE-2009-0696
- Date Public: 28 Jul 2009
- Date First Published: 28 Jul 2009
- Date Last Updated: 27 Aug 2009
- Severity Metric: 26.32
- Document Revision: 32
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.