Bug 754398 (CVE-2011-4313) - CVE-2011-4313 bind: Remote denial of service against recursive servers via logging negative cache entry
Summary: CVE-2011-4313 bind: Remote denial of service against recursive servers via lo...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-4313
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 754494 (view as bug list)
Depends On: 754502 754504 754505 754506 754507 754508 754509 757109 833878
Blocks: 754402
TreeView+ depends on / blocked
 
Reported: 2011-11-16 11:41 UTC by Jan Lieskovsky
Modified: 2021-02-24 13:44 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-11 08:40:08 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Legacy) 66212 0 None None None Never
Red Hat Product Errata RHSA-2011:1458 0 normal SHIPPED_LIVE Important: bind security update 2011-11-18 00:44:53 UTC
Red Hat Product Errata RHSA-2011:1459 0 normal SHIPPED_LIVE Important: bind97 security update 2011-11-18 00:43:57 UTC
Red Hat Product Errata RHSA-2011:1496 0 normal SHIPPED_LIVE Important: bind security update 2011-11-29 19:03:59 UTC

Description Jan Lieskovsky 2011-11-16 11:41:48 UTC
A denial of service flaw was found in the way bind, a Berkeley Internet Name Domain (BIND) Domain Name System (DNS) server, performed processing of recursive queries for negative cache entries. A remote attacker could provide a specially-crafted DNS query, forcing the named server to process and log the error message, leading to named server crash. A different vulnerability than CVE-2009-0696 and CVE-2011-2464.

References:
[1] http://www.isc.org/software/bind/advisories/cve-2011-tbd

Comment 5 Vincent Danen 2011-11-16 17:26:41 UTC
Created bind tracking bugs for this issue

Affects: fedora-all [bug 754509]

Comment 7 Vincent Danen 2011-11-16 18:51:35 UTC
This is CVE-2011-4313.

Comment 8 Adam Tkac 2011-11-16 19:38:29 UTC
*** Bug 754494 has been marked as a duplicate of this bug. ***

Comment 9 Scott McCarty 2011-11-17 14:57:56 UTC
Any ETA for a fix for this?

Comment 10 Sysadmins NIXVAL 2011-11-17 15:16:21 UTC
I have added the patch to the upstream spec file, and I have built an updated rpm package in our repository:

http://repo.nixval.com/nixval-centos/5/updates/repodata/repoview/bind-30-9.3.6-16P1.1.el5.html

I have used the following patch:

http://seclists.org/oss-sec/2011/q4/att-317/bind-9_3_5-up-CVE-2011-4313.diff

Cheers.

Comment 11 Adam Tkac 2011-11-17 16:18:16 UTC
(In reply to comment #10)
> 
> I have used the following patch:
> 
> http://seclists.org/oss-sec/2011/q4/att-317/bind-9_3_5-up-CVE-2011-4313.diff
> 
> Cheers.

The patch is not 100% correct because 9.3.X version handles negative rdatasets differently. The rbtdb.c part of the patch uses RDATASET_ATTR_NEGATIVE attribute but this attribute is never set. However the query.c part of the patch is correct and in my opinion it's sufficient to prevent the crash.

Comment 12 Sysadmins NIXVAL 2011-11-17 16:33:06 UTC
I found the Ubuntu patch, but is for version 9.7.

This is the only patch I've found.

Comment 13 errata-xmlrpc 2011-11-17 19:47:59 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1459 https://rhn.redhat.com/errata/RHSA-2011-1459.html

Comment 14 errata-xmlrpc 2011-11-17 19:48:06 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1458 https://rhn.redhat.com/errata/RHSA-2011-1458.html

Comment 15 Larry Fahnoe 2011-11-17 20:26:27 UTC
What is the position on RHEL 4 with the bind-9.2.4-37.el4 release?

--Larry

Comment 16 Vincent Danen 2011-11-17 21:32:15 UTC
Statement:

(none)

Comment 17 Kazuo Moriwaka 2011-11-25 07:03:14 UTC
ISC updated the document as it affects all BIND9.
Does our statement get effect or not?

> Versions affected: 
> BIND 9.0.x -> 9.6.x , 9.4-ESV->9.4-ESV-R5, 9.6-ESV->9.6-ESV-R5, 9.7.0->9.7.4, > 9.8.0->9.8.1, 9.9.0a1->9.9.0b1

Comment 18 Danilo Taveira 2011-11-25 12:53:23 UTC
RHEL 4 version is 9.2.4-37.el4, so shouldn't it also be affected?

Comment 21 Jan Lieskovsky 2011-11-25 14:02:49 UTC
(In reply to comment #17)

Hello Kazuo-san,

> ISC updated the document as it affects all BIND9.
> Does our statement get effect or not?

The particular statement has been updated / deleted.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> > Versions affected: 
> > BIND 9.0.x -> 9.6.x , 9.4-ESV->9.4-ESV-R5, 9.6-ESV->9.6-ESV-R5, 9.7.0->9.7.4, > 9.8.0->9.8.1, 9.9.0a1->9.9.0b1

Comment 22 Jan Lieskovsky 2011-11-25 14:05:46 UTC
(In reply to comment #18)

Hello Danilo,

> RHEL 4 version is 9.2.4-37.el4, so shouldn't it also be affected?

Yes, from communication with upstream it concluded the version of bind package, as shipped with Red Hat Enterprise Linux 4 is vulnerable to the CVE-2011-4313 issue too.

Currently we are working on preparing a bind package update for Red Hat Enterprise Linux 4, and once it has passed all the required testing it will be released.

Hope this helps. Let us know if we can be of any further assistance.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 26 errata-xmlrpc 2011-11-29 14:07:07 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:1496 https://rhn.redhat.com/errata/RHSA-2011-1496.html


Note You need to log in before you can comment on or make changes to this bug.