Vulnerability Note VU#915404
BIND vulnerable to an assertion failure when querying for SIG records
A vulnerability in the BIND name server could allow a remote attacker to cause a denial of service against an affected system.
The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). A flaw exists in the way that some versions of BIND handle DNS Security Extensions (DNSSEC) signed Resource Record Sets (RRsets).
The specific impact of this vulnerability is slightly different depending on the type of DNS server involved. For recursive servers, queries for SIG records will trigger an assertion failure if more than one SIG(covered) RRset is returned. For authoritative servers, if a name server is serving a RFC 2535 DNSSEC zone and is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g., a zone apex) then the name server daemon will trigger an assertion failure when it tries to construct the response.
A remote attacker may be able to cause the name server daemon to crash, thereby causing a denial of service for DNS operations.
Apply a patch from the vendor
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian GNU/Linux||Affected||23 Aug 2006||11 Sep 2006|
|F5 Networks, Inc.||Affected||23 Aug 2006||07 Sep 2006|
|FreeBSD, Inc.||Affected||23 Aug 2006||07 Sep 2006|
|Gentoo Linux||Affected||23 Aug 2006||02 Oct 2006|
|Internet Software Consortium||Affected||18 Aug 2006||06 Sep 2006|
|Mandriva, Inc.||Affected||23 Aug 2006||11 Sep 2006|
|NetBSD||Affected||23 Aug 2006||02 Oct 2006|
|OpenBSD||Affected||23 Aug 2006||07 Sep 2006|
|OpenPKG||Affected||-||07 Sep 2006|
|Openwall GNU/*/Linux||Affected||23 Aug 2006||11 Sep 2006|
|rPath||Affected||-||25 Sep 2006|
|Slackware Linux Inc.||Affected||23 Aug 2006||02 Oct 2006|
|Trustix Secure Linux||Affected||23 Aug 2006||02 Oct 2006|
|Ubuntu||Affected||23 Aug 2006||07 Sep 2006|
|Hitachi||Not Affected||23 Aug 2006||05 Sep 2006|
CVSS Metrics (Learn More)
Thanks to Joao Damas of the Internet Software Consortium for reporting this vulnerability.
This document was written by Chad R Dougherty.
- CVE IDs: CVE-2006-4095
- Date Public: 05 Sep 2006
- Date First Published: 05 Sep 2006
- Date Last Updated: 02 Oct 2006
- Severity Metric: 7.83
- Document Revision: 13
If you have feedback, comments, or additional information about this vulnerability, please send us email.