Bug 754398 - (CVE-2011-4313) CVE-2011-4313 bind: Remote denial of service against recursive servers via logging negative cache entry
CVE-2011-4313 bind: Remote denial of service against recursive servers via lo...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20111116,repo...
: Reopened, Security
: 754494 (view as bug list)
Depends On: 754502 754504 754505 754506 754507 754508 754509 757109 833878
Blocks: 754402
  Show dependency treegraph
 
Reported: 2011-11-16 06:41 EST by Jan Lieskovsky
Modified: 2016-07-11 04:40 EDT (History)
28 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-11 04:40:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Legacy) 66212 None None None Never

  None (edit)
Description Jan Lieskovsky 2011-11-16 06:41:48 EST
A denial of service flaw was found in the way bind, a Berkeley Internet Name Domain (BIND) Domain Name System (DNS) server, performed processing of recursive queries for negative cache entries. A remote attacker could provide a specially-crafted DNS query, forcing the named server to process and log the error message, leading to named server crash. A different vulnerability than CVE-2009-0696 and CVE-2011-2464.

References:
[1] http://www.isc.org/software/bind/advisories/cve-2011-tbd
Comment 5 Vincent Danen 2011-11-16 12:26:41 EST
Created bind tracking bugs for this issue

Affects: fedora-all [bug 754509]
Comment 7 Vincent Danen 2011-11-16 13:51:35 EST
This is CVE-2011-4313.
Comment 8 Adam Tkac 2011-11-16 14:38:29 EST
*** Bug 754494 has been marked as a duplicate of this bug. ***
Comment 9 Scott McCarty 2011-11-17 09:57:56 EST
Any ETA for a fix for this?
Comment 10 Sysadmins NIXVAL 2011-11-17 10:16:21 EST
I have added the patch to the upstream spec file, and I have built an updated rpm package in our repository:

http://repo.nixval.com/nixval-centos/5/updates/repodata/repoview/bind-30-9.3.6-16P1.1.el5.html

I have used the following patch:

http://seclists.org/oss-sec/2011/q4/att-317/bind-9_3_5-up-CVE-2011-4313.diff

Cheers.
Comment 11 Adam Tkac 2011-11-17 11:18:16 EST
(In reply to comment #10)
> 
> I have used the following patch:
> 
> http://seclists.org/oss-sec/2011/q4/att-317/bind-9_3_5-up-CVE-2011-4313.diff
> 
> Cheers.

The patch is not 100% correct because 9.3.X version handles negative rdatasets differently. The rbtdb.c part of the patch uses RDATASET_ATTR_NEGATIVE attribute but this attribute is never set. However the query.c part of the patch is correct and in my opinion it's sufficient to prevent the crash.
Comment 12 Sysadmins NIXVAL 2011-11-17 11:33:06 EST
I found the Ubuntu patch, but is for version 9.7.

This is the only patch I've found.
Comment 13 errata-xmlrpc 2011-11-17 14:47:59 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1459 https://rhn.redhat.com/errata/RHSA-2011-1459.html
Comment 14 errata-xmlrpc 2011-11-17 14:48:06 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1458 https://rhn.redhat.com/errata/RHSA-2011-1458.html
Comment 15 Larry Fahnoe 2011-11-17 15:26:27 EST
What is the position on RHEL 4 with the bind-9.2.4-37.el4 release?

--Larry
Comment 16 Vincent Danen 2011-11-17 16:32:15 EST
Statement:

(none)
Comment 17 Kazuo Moriwaka 2011-11-25 02:03:14 EST
ISC updated the document as it affects all BIND9.
Does our statement get effect or not?

> Versions affected: 
> BIND 9.0.x -> 9.6.x , 9.4-ESV->9.4-ESV-R5, 9.6-ESV->9.6-ESV-R5, 9.7.0->9.7.4, > 9.8.0->9.8.1, 9.9.0a1->9.9.0b1
Comment 18 Danilo Taveira 2011-11-25 07:53:23 EST
RHEL 4 version is 9.2.4-37.el4, so shouldn't it also be affected?
Comment 21 Jan Lieskovsky 2011-11-25 09:02:49 EST
(In reply to comment #17)

Hello Kazuo-san,

> ISC updated the document as it affects all BIND9.
> Does our statement get effect or not?

The particular statement has been updated / deleted.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> > Versions affected: 
> > BIND 9.0.x -> 9.6.x , 9.4-ESV->9.4-ESV-R5, 9.6-ESV->9.6-ESV-R5, 9.7.0->9.7.4, > 9.8.0->9.8.1, 9.9.0a1->9.9.0b1
Comment 22 Jan Lieskovsky 2011-11-25 09:05:46 EST
(In reply to comment #18)

Hello Danilo,

> RHEL 4 version is 9.2.4-37.el4, so shouldn't it also be affected?

Yes, from communication with upstream it concluded the version of bind package, as shipped with Red Hat Enterprise Linux 4 is vulnerable to the CVE-2011-4313 issue too.

Currently we are working on preparing a bind package update for Red Hat Enterprise Linux 4, and once it has passed all the required testing it will be released.

Hope this helps. Let us know if we can be of any further assistance.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 26 errata-xmlrpc 2011-11-29 09:07:07 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:1496 https://rhn.redhat.com/errata/RHSA-2011-1496.html

Note You need to log in before you can comment on or make changes to this bug.