Vulnerability Note VU#915404

BIND vulnerable to an assertion failure when querying for SIG records

Original Release date: 05 Sep 2006 | Last revised: 02 Oct 2006

Overview

A vulnerability in the BIND name server could allow a remote attacker to cause a denial of service against an affected system.

Description

The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). A flaw exists in the way that some versions of BIND handle DNS Security Extensions (DNSSEC) signed Resource Record Sets (RRsets).

The specific impact of this vulnerability is slightly different depending on the type of DNS server involved. For recursive servers, queries for SIG records will trigger an assertion failure if more than one SIG(covered) RRset is returned. For authoritative servers, if a name server is serving a RFC 2535 DNSSEC zone and is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g., a zone apex) then the name server daemon will trigger an assertion failure when it tries to construct the response.

This vulnerability affects BIND 9.3.x versions 9.3.0, 9.3.1, 9.3.2, 9.3.3b, and 9.3.3rc1, and BIND 9.4.x versions 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, and 9.4.0b1.

Impact

A remote attacker may be able to cause the name server daemon to crash, thereby causing a denial of service for DNS operations.

Solution

Apply a patch from the vendor

Patches have been released in response to this issue. Please see the Systems Affected section of this document.

Upgrade

Users who compile their own versions of BIND from the original ISC source code are encouraged to upgrade to BIND 9.3.2-P1. Patches for this issue are also included in BIND versions 9.3.3rc2 and 9.4.0b2. Patched versions of the software are available from the BIND download page.

Restrict Access

Administrators, particularly those who are unable to apply a patch, can limit exposure to this vulnerability by restricting sources that can ask for recursion.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Debian GNU/LinuxAffected23 Aug 200611 Sep 2006
F5 Networks, Inc.Affected23 Aug 200607 Sep 2006
FreeBSD, Inc.Affected23 Aug 200607 Sep 2006
Gentoo LinuxAffected23 Aug 200602 Oct 2006
Internet Software ConsortiumAffected18 Aug 200606 Sep 2006
Mandriva, Inc.Affected23 Aug 200611 Sep 2006
NetBSDAffected23 Aug 200602 Oct 2006
OpenBSDAffected23 Aug 200607 Sep 2006
OpenPKGAffected-07 Sep 2006
Openwall GNU/*/LinuxAffected23 Aug 200611 Sep 2006
rPathAffected-25 Sep 2006
Slackware Linux Inc.Affected23 Aug 200602 Oct 2006
Trustix Secure LinuxAffected23 Aug 200602 Oct 2006
UbuntuAffected23 Aug 200607 Sep 2006
HitachiNot Affected23 Aug 200605 Sep 2006
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Joao Damas of the Internet Software Consortium for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

  • CVE IDs: CVE-2006-4095
  • Date Public: 05 Sep 2006
  • Date First Published: 05 Sep 2006
  • Date Last Updated: 02 Oct 2006
  • Severity Metric: 7.83
  • Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.