Bug 658974 (CVE-2010-3613) - CVE-2010-3613 bind: failure to clear existing RRSIG records when a NO DATA is negatively cached could DoS named
Summary: CVE-2010-3613 bind: failure to clear existing RRSIG records when a NO DATA is...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-3613
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20101201,repo...
Depends On: 658987 658990 659266 659267 659268 659269 659270 663898 663899
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-01 18:08 UTC by Vincent Danen
Modified: 2019-06-08 18:41 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-22 15:33:01 UTC


Attachments (Terms of Use)
Patch for 9.7.0 (22.04 KB, patch)
2010-12-02 09:37 UTC, Tomas Hoger
no flags Details | Diff
Patch (6.29 KB, patch)
2010-12-02 12:28 UTC, Adam Tkac
no flags Details | Diff
Complete testing data from the CVE-2010-3613 verification on RHEL6 (24.03 KB, application/x-gzip)
2010-12-09 16:56 UTC, Martin Cermak
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0975 normal SHIPPED_LIVE Important: bind security update 2010-12-13 17:48:28 UTC
Red Hat Product Errata RHSA-2010:0976 normal SHIPPED_LIVE Important: bind security update 2010-12-13 17:54:23 UTC
Red Hat Product Errata RHSA-2010:1000 normal SHIPPED_LIVE Important: bind security update 2010-12-20 18:38:06 UTC

Description Vincent Danen 2010-12-01 18:08:15 UTC
A flaw in how BIND fails to clear existing RRSIG records when a NO DATA is negatively cached could cause subsequent lookups to crash named (INSIST) was reported [1].

The advisory states:

"Although the defect is very unlikely to be encountered in normal operation, if your recursive resolver is being used to query public Internet zones and you cannot readily restrict your client queries then there is the potential for a remote attacker to cause your nameserver to crash."

The INSIST crashes the server.  This vulnerability affects recursive nameservers irrespective of whether DNSSEC validation is enabled or disabled.

The upstream advisory [2] notes that this affects BIND versions 9.6.2 through 9.7.2-P2 and is corrected in 9.6.2-P3 and 9.7.2-P3.

[1] http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
[2] http://www.isc.org/software/bind/advisories/cve-2010-3613

Comment 1 Vincent Danen 2010-12-01 18:48:25 UTC
Created bind tracking bugs for this issue

Affects: fedora-14 [bug 658987]
Affects: fedora-13 [bug 658990]

Comment 2 Tomas Hoger 2010-12-02 09:37:41 UTC
Created attachment 464204 [details]
Patch for 9.7.0

Patch to fix CVE-2010-3613 and CVE-2010-3614 in bind 9.7.0.  Extracted from Ubuntu update USN-1025-1.

Comment 4 Adam Tkac 2010-12-02 12:28:06 UTC
Created attachment 464237 [details]
Patch

Comment 5 Richard Phipps 2010-12-02 19:54:33 UTC
Does this also affect RHEL5's bind-9.3.6-4.P1.el5_4.2 ?

Comment 6 Adam Tkac 2010-12-03 08:29:36 UTC
(In reply to comment #5)
> Does this also affect RHEL5's bind-9.3.6-4.P1.el5_4.2 ?

Yes, RHEL5's bind is also affected.

Comment 12 errata-xmlrpc 2010-12-13 17:48:34 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0975 https://rhn.redhat.com/errata/RHSA-2010-0975.html

Comment 13 errata-xmlrpc 2010-12-13 17:54:29 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0976 https://rhn.redhat.com/errata/RHSA-2010-0976.html

Comment 21 Calvin Webster 2010-12-17 21:23:16 UTC
What about RHEL4? Red Hat CVE database does not mention whether bind-9.2.4-30.el4_8.5.i386.rpm is vulnerable to CVE-2010-3613 or CVE-2010-3614. 

Government systems must be patched or provide a vendor statement that RHEL4 is not affected.

Comment 22 Vincent Danen 2010-12-18 00:07:57 UTC
Red Hat Enterprise Linux 4 is affected, but in a different way:

Main problem is the attacker can be owner of a nameserver of a certain public
domain and he can temporarily sign the domain via old and deprecated DNSSEC. In
this case he can use that domain to DoS BIND in the RHEL-4. Although it is
unlikely scenario (attacker has to control NS of some domain and has to have
recursive perms on the DoS-ed nameserver), it might happen.

We will be patching RHEL4.

As for CVE-2010-3614, a statement was made regarding that flaw's affects:

"There's no plan to address this low-impact flaw in Red Hat
Enterprise Linux 4, where bind does not implement support for currently used
DNSSEC protocol version." (https://bugzilla.redhat.com/show_bug.cgi?id=658977#c7)

I have made an official statement in that bug which will show up on the CVE pages.  Thank you for bringing that to our attention.

Comment 23 errata-xmlrpc 2010-12-20 18:38:13 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:1000 https://rhn.redhat.com/errata/RHSA-2010-1000.html


Note You need to log in before you can comment on or make changes to this bug.