658974 – (CVE-2010-3613) CVE-2010-3613 bind: failure to clear existing RRSIG records when a NO DATA is negatively cached could DoS named

Bug 658974 (CVE-2010-3613) - CVE-2010-3613 bind: failure to clear existing RRSIG records when a NO DATA is negatively cached could DoS named

Summary: CVE-2010-3613 bind: failure to clear existing RRSIG records when a NO DATA is...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-3613
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	658987 658990 659266 659267 659268 659269 659270 663898 663899
Blocks:
TreeView+	depends on / blocked

Reported:	2010-12-01 18:08 UTC by Vincent Danen
Modified:	2019-09-29 12:41 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-12-22 15:33:01 UTC
Embargoed:

Attachments	(Terms of Use)
Patch for 9.7.0 (22.04 KB, patch) 2010-12-02 09:37 UTC, Tomas Hoger	no flags	Details \| Diff
Patch (6.29 KB, patch) 2010-12-02 12:28 UTC, Adam Tkac	no flags	Details \| Diff
Complete testing data from the CVE-2010-3613 verification on RHEL6 (24.03 KB, application/x-gzip) 2010-12-09 16:56 UTC, Martin Cermak	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0975	normal	SHIPPED_LIVE	Important: bind security update	2010-12-13 17:48:28 UTC
Red Hat Product Errata	RHSA-2010:0976	normal	SHIPPED_LIVE	Important: bind security update	2010-12-13 17:54:23 UTC
Red Hat Product Errata	RHSA-2010:1000	normal	SHIPPED_LIVE	Important: bind security update	2010-12-20 18:38:06 UTC

Description Vincent Danen 2010-12-01 18:08:15 UTC

A flaw in how BIND fails to clear existing RRSIG records when a NO DATA is negatively cached could cause subsequent lookups to crash named (INSIST) was reported [1].

The advisory states:

"Although the defect is very unlikely to be encountered in normal operation, if your recursive resolver is being used to query public Internet zones and you cannot readily restrict your client queries then there is the potential for a remote attacker to cause your nameserver to crash."

The INSIST crashes the server.  This vulnerability affects recursive nameservers irrespective of whether DNSSEC validation is enabled or disabled.

The upstream advisory [2] notes that this affects BIND versions 9.6.2 through 9.7.2-P2 and is corrected in 9.6.2-P3 and 9.7.2-P3.

[1] http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
[2] http://www.isc.org/software/bind/advisories/cve-2010-3613

Comment 1 Vincent Danen 2010-12-01 18:48:25 UTC

Created bind tracking bugs for this issue

Affects: fedora-14 [bug 658987]
Affects: fedora-13 [bug 658990]

Comment 2 Tomas Hoger 2010-12-02 09:37:41 UTC

Created attachment 464204 [details]
Patch for 9.7.0

Patch to fix CVE-2010-3613 and CVE-2010-3614 in bind 9.7.0.  Extracted from Ubuntu update USN-1025-1.

Comment 4 Adam Tkac 2010-12-02 12:28:06 UTC

Created attachment 464237 [details]
Patch

Comment 5 Richard Phipps 2010-12-02 19:54:33 UTC

Does this also affect RHEL5's bind-9.3.6-4.P1.el5_4.2 ?

Comment 6 Adam Tkac 2010-12-03 08:29:36 UTC

(In reply to comment #5)
> Does this also affect RHEL5's bind-9.3.6-4.P1.el5_4.2 ?

Yes, RHEL5's bind is also affected.

Comment 12 errata-xmlrpc 2010-12-13 17:48:34 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0975 https://rhn.redhat.com/errata/RHSA-2010-0975.html

Comment 13 errata-xmlrpc 2010-12-13 17:54:29 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0976 https://rhn.redhat.com/errata/RHSA-2010-0976.html

Comment 21 Calvin Webster 2010-12-17 21:23:16 UTC

What about RHEL4? Red Hat CVE database does not mention whether bind-9.2.4-30.el4_8.5.i386.rpm is vulnerable to CVE-2010-3613 or CVE-2010-3614. 

Government systems must be patched or provide a vendor statement that RHEL4 is not affected.

Comment 22 Vincent Danen 2010-12-18 00:07:57 UTC

Red Hat Enterprise Linux 4 is affected, but in a different way:

Main problem is the attacker can be owner of a nameserver of a certain public
domain and he can temporarily sign the domain via old and deprecated DNSSEC. In
this case he can use that domain to DoS BIND in the RHEL-4. Although it is
unlikely scenario (attacker has to control NS of some domain and has to have
recursive perms on the DoS-ed nameserver), it might happen.

We will be patching RHEL4.

As for CVE-2010-3614, a statement was made regarding that flaw's affects:

"There's no plan to address this low-impact flaw in Red Hat
Enterprise Linux 4, where bind does not implement support for currently used
DNSSEC protocol version." (https://bugzilla.redhat.com/show_bug.cgi?id=658977#c7)

I have made an official statement in that bug which will show up on the CVE pages.  Thank you for bringing that to our attention.

Comment 23 errata-xmlrpc 2010-12-20 18:38:13 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:1000 https://rhn.redhat.com/errata/RHSA-2010-1000.html

Note You need to log in before you can comment on or make changes to this bug.