[Netsec] BIND 9 Resolver crashes after logging an error in query.c

[an error occurred while processing this directive]

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] BIND 9 Resolver crashes after logging an error in query.c

From: Howell, Paul
Date: Mon Dec 05 20:10:29 2011

Accept-language: en-US
List-archive: <http://sfpop-mailman01.merit.edu/mailman/private/netsec>
List-help: <mailto:netsec-request@merit.edu?subject=help>
List-id: <netsec.merit.edu>
List-post: <mailto:netsec@merit.edu>
List-subscribe: <http://sfpop-mailman01.merit.edu/mailman/listinfo/netsec>, <mailto:netsec-request@merit.edu?subject=subscribe>
List-unsubscribe: <http://sfpop-mailman01.merit.edu/mailman/options/netsec>, <mailto:netsec-request@merit.edu?subject=unsubscribe>

At https://www.isc.org/software/bind/advisories/cve-2011-4313

Organizations across the Internet reported crashes interrupting service on BIND 9 nameservers performing recursive queries. Affected servers crashed after logging an error in query.c with the following message: "INSIST(! dns_rdataset_isassociated(sigrdataset))" Multiple versions were reported being affected, including all currently supported release versions of ISC BIND 9. ISC is actively investigating the root cause and has produced patches which prevent the crash. Further information will be made available soon.

CVE: CVE-2011-4313
Document Version: 2.0
Posting date: 16 Nov 2011
Program Impacted: BIND
Versions affected: BIND 9.0.x -> 9.6.x , 9.4-ESV->9.4-ESV-R5, 9.6-ESV->9.6-ESV-R5, 9.7.0->9.7.4, 9.8.0->9.8.1, 9.9.0a1->9.9.0b1
Severity: Serious
Exploitable: Remotely

Description:
An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached.At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.

The patch has two components. When a client query is handled, the code which processes the response to the client has to ask the cache for the records for the name that is being queried. The first component of the patch prevents the cache from returning the inconsistent data. The second component prevents named from crashing if it detects that it has been given an inconsistent answer of this nature.

Update as of 5 December:
Having completed our analysis of the data submitted by those who experienced the crash, ISC has identified how and why this event occurred.
We have confirmed that it was triggered by an accidental operational error that exposed a previously unknown bug in BIND, causing an internal inconsistency which is effectively prevented by the mitigation patches we have produced and distributed.
While the original trigger for this incident no longer exists, it is very possible that the same set of circumstances could be made to recur deliberately rather than accidentally. Therefore, ISC strongly recommends that those running vulnerable servers continue to update to a patched release of BIND.

[an error occurred while processing this directive]