search menu icon-carat-right cmu-wordmark

CERT Coordination Center

BIND 9 DNSSEC validation code could cause fake NXDOMAIN responses

Vulnerability Note VU#360341

Original Release Date: 2010-01-19 | Last Revised: 2010-01-27

Overview

A vulnerability exists in the BIND 9 DNSSEC validation code that could be used by an attacker to generate fake NXDOMAIN responses.

Description

BIND 9 contains a vulnerability in DNSSEC validation code. According to ISC:

There was an error in the DNSSEC NSEC/NSEC3 validation code that could cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records proven by NSEC or NSEC3 to exist) to be cached as if they had validated correctly, so that future queries to the resolver would return the bogus NXDOMAIN with the AD flag set.

This issue affects BIND versions 9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 -> 9.4.3-P4, 9.5.0 -> 9.5.2-P1, 9.6.0 -> 9.6.1-P2

Impact

An attacker may be able to add fake NXDOMAIN records to a resolver's cache.

Solution

Upgrade BIND to version 9.4.3-P5, 9.5.2-P2 or 9.6.1-P3.

Vendor Information

360341
 
Affected   Unknown   Unaffected

Fedora Project

Notified:  January 15, 2010 Updated:  January 27, 2010

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Fedora has published more information regarding this issue:

http://lists.fedoraproject.org/pipermail/package-announce/2010-January/034196.html

Internet Systems Consortium

Notified:  January 15, 2010 Updated:  January 19, 2010

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see https://www.isc.org/advisories/CVE-2010-0097 for more information regarding the vulnerability.

Red Hat, Inc.

Notified:  January 15, 2010 Updated:  January 27, 2010

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Red Hat has published more information regarding this issue:

http://rhn.redhat.com/errata/RHSA-2010-0062.html

Sun Microsystems, Inc.

Notified:  January 15, 2010 Updated:  January 27, 2010

Statement Date:   January 21, 2010

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see the following document for more information:

http://sunsolve.sun.com/search/document.do?assetkey=1-66-275890-1

The SCO Group

Notified:  January 15, 2010 Updated:  January 27, 2010

Statement Date:   January 18, 2010

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu

Notified:  January 15, 2010 Updated:  January 27, 2010

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Ubuntu has published more information regarding this issue:

http://www.ubuntu.com/usn/USN-888-1

Alcatel-Lucent

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Inc.

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

BlueCat Networks, Inc.

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Check Point Software Technologies

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc.

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc.

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ericsson

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc.

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GNU glibc

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gnu ADNS

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries)

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A.

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

McAfee

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Men & Mice

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nominum

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nortel Networks, Inc.

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc.

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX Software Systems Inc.

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Shadowsupport

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc.

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc.

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  January 15, 2010 Updated:  January 14, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This issue was reported by ISC

This document was written by David Warren.

Other Information

CVE IDs: CVE-2010-0097
Date Public: 2010-01-19
Date First Published: 2010-01-19
Date Last Updated: 2010-01-27 19:37 UTC
Document Revision: 12

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.