Bug 754398 (CVE-2011-4313)

Summary: CVE-2011-4313 bind: Remote denial of service against recursive servers via logging negative cache entry
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anemec, cody, danilo.taveira, eric.eisenhart, fahnoe, herrold, hui.zhu, ibudiman, jeff, kmoriwak, kouyama.yutaka, matt.cavaness, maurizio.antillon, mollo, moshiro, myamazak, ovasik, peter.mueller, rbinkhor, rbryce, rrosario, rvandolson, security-response-team, shyam, smccarty, vdanen, ville
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-11 08:40:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 754502, 754504, 754505, 754506, 754507, 754508, 754509, 757109, 833878    
Bug Blocks: 754402    

Description Jan Lieskovsky 2011-11-16 11:41:48 UTC 
A denial of service flaw was found in the way bind, a Berkeley Internet Name Domain (BIND) Domain Name System (DNS) server, performed processing of recursive queries for negative cache entries. A remote attacker could provide a specially-crafted DNS query, forcing the named server to process and log the error message, leading to named server crash. A different vulnerability than CVE-2009-0696 and CVE-2011-2464.

References:
[1] http://www.isc.org/software/bind/advisories/cve-2011-tbd
Comment 5 Vincent Danen 2011-11-16 17:26:41 UTC 
Created bind tracking bugs for this issue

Affects: fedora-all [bug 754509]
Comment 7 Vincent Danen 2011-11-16 18:51:35 UTC 
This is CVE-2011-4313.
Comment 8 Adam Tkac 2011-11-16 19:38:29 UTC 
*** Bug 754494 has been marked as a duplicate of this bug. ***
Comment 9 Scott McCarty 2011-11-17 14:57:56 UTC 
Any ETA for a fix for this?
Comment 10 Sysadmins NIXVAL 2011-11-17 15:16:21 UTC 
I have added the patch to the upstream spec file, and I have built an updated rpm package in our repository:

http://repo.nixval.com/nixval-centos/5/updates/repodata/repoview/bind-30-9.3.6-16P1.1.el5.html

I have used the following patch:

http://seclists.org/oss-sec/2011/q4/att-317/bind-9_3_5-up-CVE-2011-4313.diff

Cheers.
Comment 11 Adam Tkac 2011-11-17 16:18:16 UTC 
(In reply to comment #10)
> 
> I have used the following patch:
> 
> http://seclists.org/oss-sec/2011/q4/att-317/bind-9_3_5-up-CVE-2011-4313.diff
> 
> Cheers.

The patch is not 100% correct because 9.3.X version handles negative rdatasets differently. The rbtdb.c part of the patch uses RDATASET_ATTR_NEGATIVE attribute but this attribute is never set. However the query.c part of the patch is correct and in my opinion it's sufficient to prevent the crash.
Comment 12 Sysadmins NIXVAL 2011-11-17 16:33:06 UTC 
I found the Ubuntu patch, but is for version 9.7.

This is the only patch I've found.
Comment 13 errata-xmlrpc 2011-11-17 19:47:59 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1459 https://rhn.redhat.com/errata/RHSA-2011-1459.html
Comment 14 errata-xmlrpc 2011-11-17 19:48:06 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1458 https://rhn.redhat.com/errata/RHSA-2011-1458.html
Comment 15 Larry Fahnoe 2011-11-17 20:26:27 UTC 
What is the position on RHEL 4 with the bind-9.2.4-37.el4 release?

--Larry
Comment 16 Vincent Danen 2011-11-17 21:32:15 UTC 
Statement:

(none)
Comment 17 Kazuo Moriwaka 2011-11-25 07:03:14 UTC 
ISC updated the document as it affects all BIND9.
Does our statement get effect or not?

> Versions affected: 
> BIND 9.0.x -> 9.6.x , 9.4-ESV->9.4-ESV-R5, 9.6-ESV->9.6-ESV-R5, 9.7.0->9.7.4, > 9.8.0->9.8.1, 9.9.0a1->9.9.0b1
Comment 18 Danilo Taveira 2011-11-25 12:53:23 UTC 
RHEL 4 version is 9.2.4-37.el4, so shouldn't it also be affected?
Comment 21 Jan Lieskovsky 2011-11-25 14:02:49 UTC 
(In reply to comment #17)

Hello Kazuo-san,

> ISC updated the document as it affects all BIND9.
> Does our statement get effect or not?

The particular statement has been updated / deleted.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> > Versions affected: 
> > BIND 9.0.x -> 9.6.x , 9.4-ESV->9.4-ESV-R5, 9.6-ESV->9.6-ESV-R5, 9.7.0->9.7.4, > 9.8.0->9.8.1, 9.9.0a1->9.9.0b1
Comment 22 Jan Lieskovsky 2011-11-25 14:05:46 UTC 
(In reply to comment #18)

Hello Danilo,

> RHEL 4 version is 9.2.4-37.el4, so shouldn't it also be affected?

Yes, from communication with upstream it concluded the version of bind package, as shipped with Red Hat Enterprise Linux 4 is vulnerable to the CVE-2011-4313 issue too.

Currently we are working on preparing a bind package update for Red Hat Enterprise Linux 4, and once it has passed all the required testing it will be released.

Hope this helps. Let us know if we can be of any further assistance.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 26 errata-xmlrpc 2011-11-29 14:07:07 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:1496 https://rhn.redhat.com/errata/RHSA-2011-1496.html
Comment 27 Tomas Hoger 2011-12-06 17:31:54 UTC 
External References:

https://www.isc.org/software/bind/advisories/cve-2011-4313
https://deepthought.isc.org/article/AA-00549