[AusNOG] [Fwd: Notice: BIND Security Jul2013 CVE2013-4854]
Heinz N
ausnog at equisoft.com.au
Sat Jul 27 13:22:37 EST 2013
Good spot and thanks!
I may have already seen this in the wild. My tcpdump was showing
occassional "unimplemented method" or some such thing randomly hitting
port 53 on various hosts. Naturally I wondered what was going on. This may
explain it.
For authorative nameservers, I do a string filter at the router that only
lets in requests for hosted domain names. My named(s) never see any of
that malformed crap. You can also filter on undersize & oversized packets.
Pretty cheap insurance if you ask me, plus it reduces the named load.
H.
On Sat, 27 Jul 2013, Noel Butler wrote:
> Urgent Attention Required
>
> -------- Forwarded Message --------
> From: ISC Security Officer
> Subject: Notice: BIND Security Jul2013 CVE2013-4854
> Date: Fri, 26 Jul 2013 13:46:50 -0700
>
> to be 'in the wild' as of 18:00UTC July 26, and exploitation of this
> vulnerability against production servers has been reported by multiple
> organizations. Please be advised that immediate action is recommended.
>
> A specially crafted query can cause BIND to terminate
> CVE: CVE-2013-4854
> Document Version: 2.0
> Posting date: 26 July 2013
> Program Impacted: BIND
> Versions affected: Open source: 9.7.0->9.7.7, 9.8.0->9.8.5-P1,
> 9.9.0->9.9.3-P1, 9.8.6b1 and 9.9.4b1;
> Subscription: 9.9.3-S1 and 9.9.4-S1b1
> Severity: Critical
> Exploitable: Remotely
> Description:
>
> A specially crafted query that includes malformed rdata can cause
> named to terminate with an assertion failure while rejecting the
> malformed query.
>
> BIND 9.6 and BIND 9.6-ESV are unaffected by this problem. Earlier
> branches of BIND 9 are believed to be unaffected but have not
> been tested. BIND 10 is also unaffected by this issue.
>
> Please Note: All versions of BIND 9.7 are known to be affected,
> but these branches are beyond their "end of life" (EOL) and no
> longer receive testing or security fixes from ISC. For current
> information on which versions are actively supported, please see
>
> http://www.isc.org/downloads/software-support-policy/bind-software-status/.
>
> Impact:
>
> Authoritative and recursive servers are equally vulnerable.
> Intentional exploitation of this condition can cause a denial
> of service in all nameservers running affected versions of BIND
> 9. Access Control Lists do not provide any protection from
> malicious clients.
>
> In addition to the named server, applications built using libraries
> from the affected source distributions may crash with assertion
> failures triggered in the same fashion.
>
> CVSS Score: 7.8
>
> CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
>
> For more information on the Common Vulnerability Scoring System and
> to obtain your specific environmental score please visit:
> http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N
> /C:N/I:N/A:C)
>
>
> Workarounds:
>
> No known workarounds at this time.
>
> Active exploits:
>
> Crashes have been reported by multiple ISC customers. First
> observed in the wild on 26 July 2013, 18:00 UTC.
>
> Solution:
>
> Upgrade to the patched release most closely related to your
> current version of BIND. Open source versions can all be
> downloaded from http://www.isc.org/downloads. Subscription
> version customers will be contacted directly by ISC Support
> regarding delivery.
>
> BIND 9 version 9.8.5-P2
> BIND 9 version 9.9.3-P2
> BIND 9 version 9.9.3-S1-P1 (Subscription version available via DNSco)
>
> Acknowledgements:
>
> ISC would like to thank Maxim Shudrak and the HP Zero Day
> Initiative for reporting this issue.
>
> Document Revision History:
>
> 1.0 Phase One Advance Notification, 18 July 2013
> 1.1 Phases Two and Three Advance Notification, 26 July 2013
> 2.0 Notification to public (Phase Four), 26 July 2013
>
>
>
>
More information about the AusNOG
mailing list