47 replies to this topic

[AplusWebMaster]

FYI...

BIND 9.x security patch
- http://isc.sans.org/...ml?storyid=5641
Last Updated: 2009-01-08 02:00:56 UTC - ""The Internet Systems Consortium [ http://www.isc.org ] has released an update for all supported BIND 9.x versions today (2009-Jan-07) containing a security patch to address a potential DNS poisoning vector. *NOTE* This patch release does not appear to be an emergency situation requiring immediate updates for all... Patch deployment would appear most critical among recursive name resolvers. The flaw affects all actively developed and supported versions prior to and resolved with today's release of BIND 9.3.6-P1, 9.4.3-P1, 9.5.0-P2(-W2), 9.5.1-P1 and 9.6.0-P1... check with your vendor.
From the BIND "RELEASE NOTES" relative to each specific supported version:
"BIND 9.6.0-P1 is a SECURITY patch for BIND 9.6.0. It addresses a bug in which return values from some OpenSSL functions were left unchecked, making it theoretically possible to spoof answers from some signed zones."
ISC BIND Server software Index
https://www.isc.org/downloadables/11 ..."

> https://www.isc.org/node/373
7 January 2009

- http://web.nvd.nist....d=CVE-2009-0025
- http://web.nvd.nist....d=CVE-2008-5077

Edited by AplusWebMaster, 14 September 2012 - 08:56 AM.

[AplusWebMaster]

FYI...

BIND Dynamic Update DoS - update
- https://www.isc.org/node/474
CVE: CVE-2009-0696
CERT: http://www.kb.cert.org/vuls/id/725188
Posting date: 2009-07-28
Program Impacted: BIND
Versions affected: BIND 9 (all versions)
Severity: High
Exploitable: remotely
Summary: BIND denial of service (server crash) caused by receipt of a specific remote dynamic update message.
Description:
Urgent: this exploit is public. Please upgrade immediately.

Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert.
This vulnerability affects all servers that are masters for one or more zones – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround.
dns_db_findrdataset() fails when the prerequisite section of the dynamic update message contains a record of type “ANY” and where at least one RRset for this FQDN exists on the server.
db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
exiting (due to assertion failure).
Workarounds: None.
(Some sites may have firewalls that can be configured with packet filtering techniques to prevent nsupdate messages from reaching their nameservers.)

Active exploits: An active remote exploit is in wide circulation at this time.
Solution: Upgrade BIND to one of 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1. These versions can be downloaded from:
http://ftp.isc.org/i...9.6.1-P1.tar.gz
http://ftp.isc.org/i...9.5.1-P3.tar.gz
http://ftp.isc.org/i...9.4.3-P3.tar.gz ...

ISC BIND Dynamic Update Denial of Service Vuln
- http://secunia.com/advisories/36038/2/
Release Date: 2009-07-29
Critical: Moderately critical
Impact: DoS
Where: From remote
Solution Status: Vendor Patch ...

- http://www.us-cert.g...nsortium_bind_9
July 29, 2009

Edited by AplusWebMaster, 29 July 2009 - 10:11 AM.
Added Secunia advisory, US-CERT links...

[AplusWebMaster]

FYI...

ISC BIND DNSSEC Cache Poisoning vuln - update available
- http://secunia.com/advisories/37426/2/
Release Date: 2009-11-25
Impact: Spoofing
Where: From remote
Solution Status: Vendor Patch
Software: ISC BIND 9.4.x, ISC BIND 9.5.x, ISC BIND 9.6.x ...
Solution: Update to version 9.4.3-P4, 9.5.2-P1, or 9.6.1-P2.
https://www.isc.org/downloadables/11
Original Advisory:
https://www.isc.org/node/504
CVE reference:
- http://web.nvd.nist....d=CVE-2009-4022
Last revised: 11/27/2009

- http://atlas.arbor.n...ndex#1385906170

Edited by AplusWebMaster, 05 December 2009 - 06:10 AM.

[AplusWebMaster]

FYI...

BIND name server updates - DNSSEC
- http://isc.sans.org/...ml?storyid=7750
Last Updated: 2009-12-15 13:47:50 UTC - "Over the first half of 2010, ICANN/IANA plan to sign the root zone [1]. The DNSSEC signature will use SHA256 hashes, which are not supported in older but common versions of BIND. If you run BIND 9.6.0 or 9.6.0P1, you may have issues with these signatures. The bug was fixed in BIND 9.6.1.
From the ISC.org mailing list:
"ISC has arranged for two test zones to be made available which are signed using the new algorithms which are listed in dlv.isc.org.
You can test whether you can successfully resolve these zones using the following queries.
dig rsasha256.island.dlvtest.dns-oarc.net soa
dig rsasha512.island.dlvtest.dns-oarc.net soa

[1] http://www.icann.org...-09oct08-en.htm
[2] https://www.isc.org/...are/bind/dnssec "

[AplusWebMaster]

FYI...

BIND v9.6.1-P3 released
- http://isc.sans.org/...ml?storyid=8029
Last Updated: 2010-01-20 03:24:17 UTC - "Internet Systems Consortium (ISC) announced the release of the BIND 9.6.1-P3 security patch to address two cache poisoning vulnerabilities, "both of which could allow a validating recursive nameserver to cache data which had not been authenticated or was invalid."
- https://www.isc.org/...s/CVE-2010-0097
- https://www.isc.org/...CVE-2009-4022v6
You can download BIND 9.6.1-P3 from:
ftp://ftp.isc.org/isc/bind9/9.6.1-P3/bind-9.6.1-P3.tar.gz
ftp://ftp.isc.org/isc/bind9/9.6.1-P3/BIND9.6.1-P3.zip (binary kit for Windows XP/2003/2008)..."

- http://secunia.com/advisories/38219/2/
Release Date: 2010-01-20
Impact: Spoofing
Where: From remote
Solution Status: Vendor Patch
Software: ISC BIND 9.4.x, ISC BIND 9.5.x, ISC BIND 9.6.x
US-CERT VU#360341: http://www.kb.cert.org/vuls/id/360341

Edited by AplusWebMaster, 20 January 2010 - 04:33 AM.

[AplusWebMaster]

FYI...

BIND v9.6.2 released
- http://isc.org/files...62.html#RELEASE
28 Feb 2010

- http://isc.org/files....html#DOWNLOADS

Windows Download
- http://isc.org/softw...load/bind962zip

- http://isc.sans.org/...ml?storyid=8335
Last Updated: 2010-03-02 13:19:13 UTC

Edited by AplusWebMaster, 02 March 2010 - 11:24 AM.

[AplusWebMaster]

FYI...

BIND vulns/updates released

Security Advisories
- http://www.isc.org/advisories/bind

- http://secunia.com/advisories/42374/
Release Date: 2010-12-02
Software: ISC BIND 9.6.x, ISC BIND 9.7.x
Original Advisory:
https://www.isc.org/...s/cve-2010-3613

- http://secunia.com/advisories/42435/
Release Date: 2010-12-02
Software: ISC BIND 9.4.x, ISC BIND 9.6.x, ISC BIND 9.7.x
Original Advisory:
https://www.isc.org/...s/cve-2010-3614

- http://secunia.com/advisories/42458/
Release Date: 2010-12-02
Software: ISC BIND 9.7.x
Original Advisory:
https://www.isc.org/...s/cve-2010-3615

- http://www.us-cert.g...vulnerabilities
December 2, 2010

- http://www.securityt....com/id?1024817
Dec 2 2010

Edited by AplusWebMaster, 03 December 2010 - 06:57 AM.

[AplusWebMaster]

FYI...

BIND DoS vuln advisory - v9.7.1-9.7.2-P3
- http://www.isc.org/s...s/cve-2011-0414
22 Feb 2011
Versions affected: 9.7.1-9.7.2-P3
Severity: High
Exploitable: remotely
"... upgrade to BIND 9.7.3.... If you run BIND 9.6.x, 9.6-ESV-Rx, or 9.4-ESV-R4, you do not need to upgrade. BIND 9.5 is End of Life and is not supported by ISC. BIND 9.8 is -not- vulnerable..."

- http://www.isc.org/software/bind

- http://www.securityt....com/id/1025110
Feb 23 2011

- http://web.nvd.nist....d=CVE-2011-0414
Last revised: 02/23/2011

[AplusWebMaster]

FYI...

BIND - DoS vuln - update available
- http://secunia.com/advisories/44416/
Release Date: 2011-05-06
Criticality level: Moderately critical
Impact: DoS
Where: From remote
Solution Status: Vendor Patch
Software: ISC BIND 9.8.x
CVE Reference: CVE-2011-1907
Solution: Update to version 9.8.0-P1 or higher.
Original Advisory: https://www.isc.org/CVE-2011-1907

- http://www.securityt....com/id/1025503
May 6 2011

[AplusWebMaster]

FYI...

ISC BIND vuln...
- http://secunia.com/advisories/44719/
Release Date: 2011-05-27
Criticality level: Moderately critical
Impact: DoS
Where: From remote
Software: ISC BIND 9.4.x, 9.6.x, 9.7.x, 9.8.x
CVE Reference: CVE-2011-1910
Solution: Update to version 9.4-ESV-R4-P1 as soon as available or versions 9.6-ESV-R4-P1, 9.7.3-P1, and 9.8.0-P2.
Original Advisory: https://www.isc.org/...s/cve-2011-1910

[AplusWebMaster]

FYI...

ISC BIND - DoS vulns/updates
- http://web.nvd.nist....d=CVE-2011-2464
- http://web.nvd.nist....d=CVE-2011-2465

- http://secunia.com/advisories/45082/
Release Date: 2011-07-05
Criticality level: Moderately critical
Impact: DoS
Where: From remote ...
Software: ISC BIND 9.6.x, ISC BIND 9.7.x
Solution: Update to versions 9.6-ESV-R4-P3, 9.7.3-P3.
Original Advisory: http://www.isc.org/s...s/cve-2011-2464
Severity: High
- http://secunia.com/advisories/45185/
Release Date: 2011-07-05
Criticality level: Moderately critical
Impact: DoS
Where: From remote ...
Software: ISC BIND 9.8.x
Solution: Update to version 9.8.0-P4.
Original Advisory: http://www.isc.org/s...s/cve-2011-2465
Severity: High
- http://www.securityt....com/id/1025743
- http://www.securityt....com/id/1025742
Jul 5 2011
___

IBM AIX BIND - DNSSEC
- http://aix.software....9_advisory2.asc
Jul 15 2011
CVE Numbers:
- http://web.nvd.nist....d=CVE-2010-3613
- http://web.nvd.nist....d=CVE-2010-3614

Edited by AplusWebMaster, 18 July 2011 - 04:34 PM.

[AplusWebMaster]

FYI...

BIND 9 updates released

- https://www.isc.org/...s/cve-2011-4313
5 December update... "... Workarounds:
The best solution is to upgrade. Upgrade BIND to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.4-ESV-R5-P1
5 December Update: For customers who are unable to migrate immediately to a patched version of BIND, there is now a mitigation strategy available. ISC continues to strongly recommend installing a patched version as the safest course of action, but if circumstances prevent you from doing so you can still reduce or eliminate your exposure to the CVE-2011-4313 vulnerability with a configuration option addition to named.conf.
Please see this Supplemental page* in our KnowledgeBase for full details of this workaround and other operational considerations...
* https://deepthought....rticle/AA-00549
Last Updated: 2011-12-05
• Authoritative-only servers are -not- vulnerable. Only servers acting in a recursive / resolving capacity are affected.
• Recursive servers are vulnerable if they query zones which you do not directly control (for example, if they query zones on the internet.)
• Resolving queries through a forwarder does not prevent exposure to this vulnerability.
• You are potentially vulnerable if you resolve queries for data provided by a third party. Examples could include addresses in email, html links in web pages, or queries submitted by users..."

* https://www.isc.org/...s/cve-2011-4313
16 November 2011 - "... reported crashes interrupting service on BIND 9 nameservers performing recursive queries. Affected servers crashed after logging an error in query.c with the following message: "INSIST(! dns_rdataset_isassociated(sigrdataset))" Multiple versions were reported being affected, including all currently supported release versions of ISC BIND 9...
CVE: CVE-2011-4313
Versions affected: All currently supported versions of BIND, 9.4-ESV, 9.6-ESV, 9.7.x, 9.8.x
Severity: Serious
Exploitable: Remotely ...
Workarounds: No workarounds are known. The solution is to upgrade. Upgrade BIND to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.4-ESV-R5-P1
Active exploits: Under investigation
Solution: Patches mitigating the issue are available at:
https://www.isc.org/...are/bind/981-p1
https://www.isc.org/...are/bind/974-p1
https://www.isc.org/...nd/96-esv-r5-p1
https://www.isc.org/...nd/94-esv-r5-p1 ...

- https://secunia.com/advisories/46887/
Last Update: 2011-11-17
Criticality level: Highly critical
Impact: DoS
Where: From remote
... vulnerability is reported in versions 9.4-ESV, 9.6-ESV, 9.7.x, 9.8.x.
Solution: Update to a fixed version or apply patch (please see the vendor's advisory* for details)....

- http://www.securityt....com/id/1026335
CVE Reference: http://web.nvd.nist....d=CVE-2011-4313
Date: Nov 17 2011
Impact: Denial of service via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 9.4-ESV, 9.6-ESV, 9.7.x, 9.8.x ...

- https://isc.sans.edu...l?storyid=12049
Last Updated: 2011-11-17 12:58:47 UTC

- http://h-online.com/-1380518
17 November 2011 - "... Update: Patches for Red Hat Enterprise Linux have been released; the advisories RHSA-2011:1458 and RHSA-2011:1459 contain further details."
- http://rhn.redhat.co...-2011-1458.html
- http://rhn.redhat.co...-2011-1459.html

- http://www.theregist...n_a_bind_again/
16th November 2011 22:17 GMT - "... apparently being exploited to attack networks, with multiple members of the BIND users email list from Germany, France and the US reporting simultaneous crashes across multiple servers..."

Edited by AplusWebMaster, 05 December 2011 - 10:01 PM.

[AplusWebMaster]

FYI...

Oracle Solaris ISC-BIND vuln
- https://secunia.com/advisories/46984/
Release Date: 2011-11-24
Criticality level: Highly critical
Impact: DoS
Where: From remote
Operating System: Sun Solaris 10.x, 8, 9
CVE Reference: http://web.nvd.nist....d=CVE-2011-4313
CVSS v2 Base Score: 5.0 (MEDIUM)
Last revised: 12/01/2011
Solution: Apply patches.
Original Advisory: http://blogs.oracle...._4313_denial_of
Nov 29, 2011

Others: http://blogs.oracle.com/sunsecurity/
___

- https://www.isc.org/...s/cve-2011-4313
CVE: CVE-2011-4313
16 Nov 2011

Edited by AplusWebMaster, 01 December 2011 - 09:37 AM.

[AplusWebMaster]

FYI...

BIND TCP Memory Leak ...
- http://www.securityt....com/id/1027297
CVE Reference: http://web.nvd.nist....d=CVE-2012-3868 - 4.3
Jul 25 2012
Version(s): 9.9.0 through 9.9.1-P1
Description: A vulnerability was reported in BIND. A remote user can cause denial of service conditions...
Impact: A remote user can cause performance degradation on the target system.
Solution: The vendor has issued a fix (9.9.1-P2).
The vendor's advisory is available at: https://kb.isc.org/article/AA-00730
Severity: High

BIND DNSSEC Validation Cache Failure ...
- http://www.securityt....com/id/1027296
CVE Reference: http://web.nvd.nist....d=CVE-2012-3817 - 7.8 (HIGH)
Jul 25 2012
Version(s): 9.6-ESV-R1 through 9.6-ESV-R7-P1; 9.7.1 through 9.7.6-P1; 9.8.0 through 9.8.3-P1; 9.9.0 through 9.9.1-P1
Description: A vulnerability was reported in BIND. A remote user can cause denial of service conditions...
Impact: A remote user can cause the target system to crash.
Solution: The vendor has issued a fix (9.9.1-P2, 9.8.3-P2, 9.7.6-P2, 9.6-ESV-R7-P2).
The vendor's advisory is available at: https://kb.isc.org/article/AA-00729
Severity: Critical

Edited by AplusWebMaster, 26 July 2012 - 03:08 PM.

[AplusWebMaster]

FYI...

ISC BIND DoS vuln - update available
- http://www.securityt....com/id/1027529
Sep 13 2012
CVE Reference: http://web.nvd.nist....d=CVE-2012-4244 - 7.8 (HIGH)
Impact: Denial of service via network
Solution: The vendor has issued a fix (9.7.6-P3, 9.7.7, 9.6-ESV-R7-P3, 9.6-ESV-R8, 9.8.3-P3, 9.8.4, 9.9.1-P3, 9.9.2).
Description: ... A remote user can cause denial of service conditions.
The vendor's advisory is available at:
https://kb.isc.org/article/AA-00778/74
Severity: Critical

- https://secunia.com/advisories/50610/
Release Date: 2012-09-13
Criticality level: Moderately critical
Impact: DoS
Where: From remote...
___

- https://www.isc.org/...security/matrix

Edited by AplusWebMaster, 14 September 2012 - 09:39 AM.