A flaw in how BIND fails to clear existing RRSIG records when a NO DATA is negatively cached could cause subsequent lookups to crash named (INSIST) was reported [1]. The advisory states: "Although the defect is very unlikely to be encountered in normal operation, if your recursive resolver is being used to query public Internet zones and you cannot readily restrict your client queries then there is the potential for a remote attacker to cause your nameserver to crash." The INSIST crashes the server. This vulnerability affects recursive nameservers irrespective of whether DNSSEC validation is enabled or disabled. The upstream advisory [2] notes that this affects BIND versions 9.6.2 through 9.7.2-P2 and is corrected in 9.6.2-P3 and 9.7.2-P3. [1] http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories [2] http://www.isc.org/software/bind/advisories/cve-2010-3613
Created bind tracking bugs for this issue Affects: fedora-14 [bug 658987] Affects: fedora-13 [bug 658990]
Created attachment 464204 [details] Patch for 9.7.0 Patch to fix CVE-2010-3613 and CVE-2010-3614 in bind 9.7.0. Extracted from Ubuntu update USN-1025-1.
Created attachment 464237 [details] Patch
Does this also affect RHEL5's bind-9.3.6-4.P1.el5_4.2 ?
(In reply to comment #5) > Does this also affect RHEL5's bind-9.3.6-4.P1.el5_4.2 ? Yes, RHEL5's bind is also affected.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0975 https://rhn.redhat.com/errata/RHSA-2010-0975.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0976 https://rhn.redhat.com/errata/RHSA-2010-0976.html
What about RHEL4? Red Hat CVE database does not mention whether bind-9.2.4-30.el4_8.5.i386.rpm is vulnerable to CVE-2010-3613 or CVE-2010-3614. Government systems must be patched or provide a vendor statement that RHEL4 is not affected.
Red Hat Enterprise Linux 4 is affected, but in a different way: Main problem is the attacker can be owner of a nameserver of a certain public domain and he can temporarily sign the domain via old and deprecated DNSSEC. In this case he can use that domain to DoS BIND in the RHEL-4. Although it is unlikely scenario (attacker has to control NS of some domain and has to have recursive perms on the DoS-ed nameserver), it might happen. We will be patching RHEL4. As for CVE-2010-3614, a statement was made regarding that flaw's affects: "There's no plan to address this low-impact flaw in Red Hat Enterprise Linux 4, where bind does not implement support for currently used DNSSEC protocol version." (https://bugzilla.redhat.com/show_bug.cgi?id=658977#c7) I have made an official statement in that bug which will show up on the CVE pages. Thank you for bringing that to our attention.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:1000 https://rhn.redhat.com/errata/RHSA-2010-1000.html