Vulnerability Note VU#725188

ISC BIND 9 vulnerable to denial of service via dynamic update request

Original Release date: 28 Jul 2009 | Last revised: 27 Aug 2009

Overview

ISC BIND 9 contains a vulnerability that may allow a remote, unauthenticated attacker to create a denial-of-service condition.

Description

The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). It includes support for dynamic DNS updates as specified in IETF RFC 2136. BIND 9 can crash when processing a specially-crafted dynamic update packet.

ISC notes that this vulnerability affects all servers that are masters for one or more zones and is not limited to those that are configured to allow dynamic updates. ISC also indicates that the attack packet has to be constructed for a zone for which the target system is configured as a master; launching the attack against slave zones does not trigger the vulnerability.

Impact

By sending a specially-crafted dynamic update packet to a BIND 9 server, a remote, unauthenticated attacker can cause a denial of service by causing BIND to crash.

Solution

Apply an update
Users who obtain BIND from a third-party vendor, such as their operating system vendor, should see the systems affected portion of this document for a partial list of affected vendors.

This vulnerability is addressed in ISC BIND versions 9.4.3-P3, 9.5.1-P3, and BIND 9.6.1-P1. Users of BIND from the original source distribution should upgrade to one of these versions, as appropriate.

See also https://www.isc.org/node/474.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Inc.Affected28 Jul 200917 Aug 2009
BlueCat Networks, Inc.Affected28 Jul 200930 Jul 2009
Debian GNU/LinuxAffected28 Jul 200903 Aug 2009
F5 Networks, Inc.Affected28 Jul 200931 Jul 2009
FreeBSD, Inc.Affected28 Jul 200930 Jul 2009
Hewlett-Packard CompanyAffected28 Jul 200926 Aug 2009
InfobloxAffected28 Jul 200930 Jul 2009
Internet Systems ConsortiumAffected28 Jul 200928 Jul 2009
NixuAffected28 Jul 200930 Jul 2009
OpenBSDAffected28 Jul 200930 Jul 2009
Red Hat, Inc.Affected28 Jul 200930 Jul 2009
Sun Microsystems, Inc.Affected28 Jul 200930 Jul 2009
SUSE LinuxAffected28 Jul 200931 Jul 2009
UbuntuAffected28 Jul 200929 Jul 2009
NominumNot Affected28 Jul 200930 Jul 2009
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to ISC for reporting this vulnerability.

This document was written by Will Dormann and Chad Dougherty.

Other Information

  • CVE IDs: CVE-2009-0696
  • Date Public: 28 Jul 2009
  • Date First Published: 28 Jul 2009
  • Date Last Updated: 27 Aug 2009
  • Severity Metric: 26.32
  • Document Revision: 32

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.