[outages] Fwd: [security-officer at isc.org: Notice: BIND Security Jul2013 CVE2013-4854]

Jay Ashworth jra at baylink.com
Sat Jul 27 17:07:16 EDT 2013 

There's an attack in the wild on BIND >9.7; if you have DNS problems, 
this may be pertinent.  [Forwarded from NANOG]

Cheers,
-- jra

----- Forwarded Message -----
> From: "staticsafe" <me at staticsafe.ca>
> To: nanog at nanog.org
> Sent: Saturday, July 27, 2013 6:27:59 AM
> Subject: [security-officer at isc.org: Notice: BIND Security Jul2013 CVE2013-4854]
> ----- Forwarded message from ISC Security Officer
> <security-officer at isc.org> -----
> 
> Date: Fri, 26 Jul 2013 13:46:50 -0700
> From: ISC Security Officer <security-officer at isc.org>
> To: bind-announce at lists.isc.org, bind-workers at lists.isc.org,
> bind-users at lists.isc.org
> Subject: Notice: BIND Security Jul2013 CVE2013-4854
> 
> IMPORTANT: The security issue described below has been confirmed by
> ISC
> to be 'in the wild' as of 18:00UTC July 26, and exploitation of this
> vulnerability against production servers has been reported by multiple
> organizations. Please be advised that immediate action is recommended.
> 
> A specially crafted query can cause BIND to terminate
> CVE: CVE-2013-4854
> Document Version: 2.0
> Posting date: 26 July 2013
> Program Impacted: BIND
> Versions affected: Open source: 9.7.0->9.7.7, 9.8.0->9.8.5-P1,
> 9.9.0->9.9.3-P1, 9.8.6b1 and 9.9.4b1;
> Subscription: 9.9.3-S1 and 9.9.4-S1b1
> Severity: Critical
> Exploitable: Remotely
> Description:
> 
> A specially crafted query that includes malformed rdata can cause
> named to terminate with an assertion failure while rejecting the
> malformed query.
> 
> BIND 9.6 and BIND 9.6-ESV are unaffected by this problem. Earlier
> branches of BIND 9 are believed to be unaffected but have not
> been tested. BIND 10 is also unaffected by this issue.
> 
> Please Note: All versions of BIND 9.7 are known to be affected,
> but these branches are beyond their "end of life" (EOL) and no
> longer receive testing or security fixes from ISC. For current
> information on which versions are actively supported, please see
> 
> http://www.isc.org/downloads/software-support-policy/bind-software-status/.
> 
> Impact:
> 
> Authoritative and recursive servers are equally vulnerable.
> Intentional exploitation of this condition can cause a denial
> of service in all nameservers running affected versions of BIND
> 9. Access Control Lists do not provide any protection from
> malicious clients.
> 
> In addition to the named server, applications built using libraries
> from the affected source distributions may crash with assertion
> failures triggered in the same fashion.
> 
> CVSS Score: 7.8
> 
> CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
> 
> For more information on the Common Vulnerability Scoring System and
> to obtain your specific environmental score please visit:
> http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)
> 
> 
> Workarounds:
> 
> No known workarounds at this time.
> 
> Active exploits:
> 
> Crashes have been reported by multiple ISC customers. First
> observed in the wild on 26 July 2013, 18:00 UTC.
> 
> Solution:
> 
> Upgrade to the patched release most closely related to your
> current version of BIND. Open source versions can all be
> downloaded from http://www.isc.org/downloads. Subscription
> version customers will be contacted directly by ISC Support
> regarding delivery.
> 
> BIND 9 version 9.8.5-P2
> BIND 9 version 9.9.3-P2
> BIND 9 version 9.9.3-S1-P1 (Subscription version available via DNSco)
> 
> Acknowledgements:
> 
> ISC would like to thank Maxim Shudrak and the HP Zero Day
> Initiative for reporting this issue.
> 
> Document Revision History:
> 
> 1.0 Phase One Advance Notification, 18 July 2013
> 1.1 Phases Two and Three Advance Notification, 26 July 2013
> 2.0 Notification to public (Phase Four), 26 July 2013
> 
> Related Documents:
> 
> Spanish Translation: planned
> Japanese Translation: https://kb.isc.org/article/AA-01023
> Portuguese Translation: https://kb.isc.org/article/AA-01021
> 
> 
> See our BIND Security Matrix for a complete listing of Security
> Vulnerabilities and versions affected.
> 
> This Knowledge Base article https://kb.isc.org/article/AA-01016
> provides additional information and Frequently Asked Questions about
> this advisory.
> 
> If you'd like more information on our product support or about our
> Subscription versions of BIND, please visit
> http://www.dns-co.com/solutions
> 
> Do you still have questions? Questions regarding this advisory
> should go to security-officer at isc.org. To report a new issue,
> please encrypt your message using security-officer at isc.org's PGP
> key which can be found here:
> 
> https://www.isc.org/downloads/software-support-policy/openpgp-key
> 
> If you are unable to use encrypted email, you may also report new
> issues at: https://www.isc.org/mission/contact/.
> 
> Note:
> 
> ISC patches only currently supported versions. When possible we
> indicate EOL versions affected.
> 
> ISC Security Vulnerability Disclosure Policy:
> 
> Details of our current security advisory policy and practice can
> be found here: ISC Software Defect and Security Vulnerability
> Disclosure Policy
> 
> This Knowledge Base article https://kb.isc.org/article/AA-01015
> is the complete and official security advisory document.
> 
> Legal Disclaimer:
> 
> Internet Systems Consortium (ISC) is providing this notice on
> an "AS IS" basis. No warranty or guarantee of any kind is expressed
> in this notice and none should be implied. ISC expressly excludes
> and disclaims any warranties regarding this notice or materials
> referred to in this notice, including, without limitation, any
> implied warranty of merchantability, fitness for a particular
> purpose, absence of hidden defects, or of non-infringement. Your
> use or reliance on this notice or materials referred to in this
> notice is at your own risk. ISC may change this notice at any
> time. A stand-alone copy or paraphrase of the text of this
> document that omits the document URL is an uncontrolled copy.
> Uncontrolled copies may lack important information, be out of
> date, or contain factual errors.
> 
> (c) 2001-2013 Internet Systems Consortium
> 
> 
> _______________________________________________
> bind-announce mailing list
> bind-announce at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-announce
> 
> 
> ----- End forwarded message -----
> 
> --
> staticsafe
> O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
> Please don't top post.
> Please don't CC! I'm subscribed to whatever list I just posted on.

-- 
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274

More information about the Outages mailing list