search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ISC BIND denial of service vulnerability

Vulnerability Note VU#718460

Original Release Date: 2007-05-03 | Last Revised: 2007-07-03

Overview

A vulnerability in the BIND name server could allow a remote attacker to cause a denial of service against an affected system.

Description

The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC).


BIND version 9.4.0 contains a vulnerability in the way that the query_addsoa() function is called. A remote attacker with the ability to send a specific sequence of queries to a vulnerable system can cause the nameserver to exit. Note that recursion must be enabled on the nameserver for this vulnerability to be exposed.

Impact

A remote attacker may be able to cause the name server daemon to exit prematurely, thereby causing a denial of service for DNS operations.

Solution

Upgrade

Users who compile their own copies of the affected version of BIND (9.4.0) from the original ISC source code are encouraged to upgrade to BIND version 9.4.1 (or later), which includes a patch for this issue.

Workarounds


Disable Recursion
Users, particularly those who are not able to upgrade, are encouraged to disable recursion ('recursion no;' set in named.conf) if it is not required by their configuration.

Vendor Information

718460
 
Affected   Unknown   Unaffected

Internet Software Consortium

Notified:  April 30, 2007 Updated:  May 02, 2007

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

ISC has published BIND version 9.4.1 to address this vulnerability. Users who compile their own versions of BIND from the original ISC source code are encouraged to upgrade to this version (or later) of the software.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc.

Notified:  May 02, 2007 Updated:  May 15, 2007

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Mandriva has published Mandriva Security Advisory MDKSA-2007:100 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  May 02, 2007 Updated:  July 03, 2007

Status

  Vulnerable

Vendor Statement

No formal NetBSD release included BIND 9.4.0.  However 9.4.0 was in CVS
HEAD sources for a little while before being updated to 9.4.1.  We have
sent out a short note to anyone who might be running with 9.4.0:

http://mail-index.netbsd.org/current-users/2007/07/01/0010.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc.

Notified:  May 02, 2007 Updated:  May 15, 2007

Status

  Not Vulnerable

Vendor Statement

Please list Apple as not vulnerable to VU#718460.  We do not currently ship BIND 9.4.0 in our products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc.

Notified:  May 02, 2007 Updated:  May 09, 2007

Status

  Not Vulnerable

Vendor Statement

Our development team has reviewed this information and determined that
there is no impact on NetWare and OES Linux DNS Servers.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  May 02, 2007 Updated:  May 09, 2007

Status

  Not Vulnerable

Vendor Statement

Openwall GNU/*/Linux is not affected.  We currently use BIND 9.3.4, not
the affected version 9.4.0.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc.

Notified:  May 02, 2007 Updated:  May 03, 2007

Status

  Not Vulnerable

Vendor Statement

The newest version of BIND in any Slackware distribution is 9.3.4, so we
are not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc.

Notified:  May 02, 2007 Updated:  May 15, 2007

Status

  Not Vulnerable

Vendor Statement

This is to inform you that Sun Solaris is not affected by this issue since we
do not ship any of the BIND releases that are vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu

Notified:  May 02, 2007 Updated:  May 03, 2007

Status

  Not Vulnerable

Vendor Statement

Ubuntu is unaffected.  None of our releases contain BIND 9.4.0.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

BlueCat Networks, Inc.

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Check Point Software Technologies

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc.

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc.

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian GNU/Linux

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

EMC, Inc. (formerly Data General Corporation)

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc.

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc.

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

GNU glibc

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gentoo Linux

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gnu ADNS

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries)

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc.

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Infoblox

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc.

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Lucent Technologies

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Men & Mice

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Metasolv Software, Inc.

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nokia

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nortel Networks, Inc.

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc.

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc.

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Shadowsupport

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc.

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  May 02, 2007 Updated:  May 02, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 52 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Mark Andrews of the Internet Systems Consortium (ISC) for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: CVE-2007-2241
Severity Metric: 6.90
Date Public: 2007-05-01
Date First Published: 2007-05-03
Date Last Updated: 2007-07-03 14:13 UTC
Document Revision: 13

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.