BIND 9 Cache Update from Additional Section

To: debian-security@lists.debian.org
Subject: BIND 9 Cache Update from Additional Section
From: stefan novak <lms.brubaker@gmail.com>
Date: Wed, 25 Nov 2009 10:17:56 +0100
Message-id: <1ef444010911250117k5fb86e7fm65e5e4f3e93dbe8c@mail.gmail.com>

BIND 9 Cache Update from Additional Section
CVE:
	  	CVE-2009-4022 	
CERT:
	  	VU#418861 	
Posting date:
	  	2009-11-23 	
Program Impacted:
	  	BIND 	
Versions affected:
	  	9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 -> 9.4.3-P3, 9.5.0, 9.5.1,
9.5.2, 9.6.0, 9.6.1-P1
Severity:
	  	Medium 	
Exploitable:
	  	Remotely 	
Summary:
	  	A validating recursive nameserver may incorrectly cache records
from the additional section of a query response. If the nameserver is
authoritative-only this will not occur.
Description:

A nameserver with DNSSEC validation enabled may incorrectly add
records to its cache from the additional section of responses received
during resolution of a recursive client query. This behavior only
occurs when processing client queries with checking disabled (CD) at
the same time as requesting DNSSEC records (DO).

Impact:

This problem only affects nameservers that allow recursive queries and
are performing DNSSEC validation on behalf of their clients. It is
unlikely to be encountered by most DNSSEC-validating nameservers
because queries that might induce a nameserver to exhibit this
behavior would not normally be received with CD in combination with
DO. We are not aware of any (client) stub resolvers that do this;
however, at least one other DNS server implementation has been
observed crafting queries in this way when forwarding.
Workarounds:
Ensure that recursion is restricted appropriately via the
'allow-recursion' option in named.conf. Disabling DNSSEC validation
will also prevent incorrect caching of additional records due to this
defect. However, this removes DNSSEC validation protection and the
ability of the nameserver to deliver authenticated data in query
responses.
Active exploits:
None known at this time.
Solution:
Upgrade BIND to one of the following: 9.4.3-P4, 9.5.2-P1 or 9.6.1-P2.
There are no fixes available for BIND versions 9.0 through 9.3, as
those releases are at End of Life. Note for BIND 9.7 beta-testers:
BIND 9.7.0b3, which is not yet released, will contain a fix for this.
However, all previous pre-releases of 9.7.0 are vulnerable.

Acknowledgment: Michael Sinatra, UC Berkeley, for finding and
investigating the bug.

Revision History: Nov. 22 - Added VU# for Public Release. Nov. 23 - Added CVE#

Questions should be addressed to bind9-bugs@isc.org

Reply to:

Prev by Date: Re: instantbird: modified libpurple
Next by Date: Re:
Previous by thread: Re:
Index(es):
- Date
- Thread