In message <20130326163235.ga31...@redhat.com>, Adam Tkac writes: > Hello, > > if I understand correctly, this isn't issue in BIND itself but it is some > memory > leak in underlying regexp library (glibc in Linux case). Can you please > clarify > which exact flaw in glibc (or other regex implementation) makes BIND > vulnerable > to remote DoS? Is it already reported to regex library developers? Was it > already fixed (and how)? > > I'm asking because from distribution point of view it's better to address this > flaw directly in regex implementation which will automatically make BIND > invulnerable. > > Thank you in advance for response. > > Regards, Adam
While I understand your issues bind-users isn't the forum to answer them. Mark > On Tue, Mar 26, 2013 at 12:01:50PM -0400, ISC Support Staff wrote: > > A critical defect in BIND 9 allows an attacker to cause excessive > > > > memory consumption in named or other programs linked to libdns. > > > > > > > > CVE: CVE-2013-2266 > > > > Document Version: 2.0 > > > > Posting date: 26 March 2013 > > > > Program Impacted: BIND > > > > Versions affected: "Unix" versions of BIND 9.7.x, 9.8.0 -> 9.8.5b1, > > > > 9.9.0 -> 9.9.3b1. (Windows versions are not > > affected. > > > > Versions of BIND 9 prior to BIND 9.7.0 (including > > > > BIND 9.6-ESV) are not affected. BIND 10 is > > > > not affected.) > > > > Severity: Critical > > > > Exploitable: Remotely > > > > Description: > > > > > > > > A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled > > > > on Unix and related operating systems, allows an attacker to > > > > deliberately cause excessive memory consumption by the named > > > > process, potentially resulting in exhaustion of memory resources > > > > on the affected server. This condition can crash BIND 9 and > > > > will likely severely affect operation of other programs running > > > > on the same machine. > > > > > > > > Please Note: Versions of BIND 9.7 are beyond their "end of life" > > > > (EOL) and no longer receive testing or security fixes from ISC. > > > > However, the re-compilation method described in the "Workarounds" > > > > section of this document will prevent exploitation in BIND 9.7 > > > > as well as in currently supported versions. > > > > > > > > For current information on which versions are actively supported, > > > > please seehttp://www.isc.org/software/bind/versions. > > > > > > > > Additional information is available in the CVE-2013-2266 FAQ and > > > > Supplemental Information article in the ISC Knowledge base, > > > > https://kb.isc.org/article/AA-00879. > > > > > > > > Impact: > > > > > > > > Intentional exploitation of this condition can cause denial of > > > > service in all authoritative and recursive nameservers running > > > > affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0 > > > > through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1 > > > > (inclusive)]. Additionally, other services which run on the > > > > same physical machine as an affected BIND server could be > > > > compromised as well through exhaustion of system memory. > > > > > > > > Programs using the libdns library from affected versions of BIND > > > > are also potentially vulnerable to exploitation of this bug if > > > > they can be forced to accept input which triggers the condition. > > > > Tools which are linked against libdns (e.g. dig) should also be > > > > rebuilt or upgraded, even if named is not being used. > > > > > > > > CVSS Score: 7.8 > > > > > > > > CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C) > > > > > > > > For more information on the Common Vulnerability Scoring System > > > > and to obtain your specific environmental score please visit: > > > > > > > > http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C) > > > > > > > > Workarounds: > > > > > > > > Patched versions are available (see the "Solutions:" section > > > > below) or operators can prevent exploitation of this bug in any > > > > affected version of BIND 9 by compiling without regular expression > > > > support. > > > > > > > > Compilation without regular expression support: > > > > > > > > BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1), > > > > and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely > > > > safe from this bug by re-compiling the source with regular > > > > expression support disabled. In order to disable inclusion > > > > of regular expression support: > > > > > > > > - After configuring BIND features as desired using the configure > > > > script in the top level source directory, manually edit the > > > > "config.h" header file that was produced by the configure > > > > script. > > > > > > > > - Locate the line that reads "#define HAVE_REGEX_H 1" and > > > > replace the contents of that line with "#undef > > > > HAVE_REGEX_H". > > > > > > > > - Run "make clean" to remove any previously compiled object > > > > files from the BIND 9 source directory, then proceed to > > > > make and install BIND normally. > > > > > > > > Active exploits: > > > > > > > > No known active exploits. > > > > > > > > Solution: > > > > > > > > Compile BIND 9 without regular expression support as described > > > > in the "Workarounds" section of this advisory or upgrade to the > > > > patched release most closely related to your current version of > > > > BIND. These can be downloaded fromhttp://www.isc.org/downloads/all. > > > > > > > > BIND 9 version 9.8.4-P2 > > > > BIND 9 version 9.9.2-P2 > > > > > > > > Acknowledgements: > > > > > > > > ISC would like to thank Matthew Horsfall of Dyn, Inc. for > > > > discovering this bug and bringing it to our attention. > > > > > > > > Document Revision History: > > > > > > > > 1.0 Phase One - Advance Notification, 11 March 2013 > > > > 1.1 Phase Two & Three, 25 March 2013 > > > > 2.0 Notification to Public (Phase Four), 26 March 2013 > > > > > > > > Related Documents: > > > > > > > > Japanese Translation:https://kb.isc.org/article/AA-00881 > > > > Spanish Translation:https://kb.isc.org/article/AA-00882 > > > > German Translation:https://kb.isc.org/article/AA-00883 > > > > Portuguese Translation:https://kb.isc.org/article/AA-00884 > > > > > > > > See our BIND Security Matrix for a complete listing of Security > > > > Vulnerabilities and versions affected. > > > > > > > > If you'd like more information on our product support please visit > > www.isc.org/support. > > > > > > > > Do you still have questions? Questions regarding this advisory > > > > should go tosecurity-offi...@isc.org > > > > > > > > Note: > > > > > > > > ISC patches only currently supported versions. When possible we > > > > indicate EOL versions affected. > > > > > > > > ISC Security Vulnerability Disclosure Policy: Details of our current > > > > security advisory policy and practice can be found here: > > > > https://www.isc.org/security-vulnerability-disclosure-policy > > > > > > > > This Knowledge Base articlehttps://kb.isc.org/article/AA-00871 is > > > > the complete and official security advisory document. > > > > > > > > Legal Disclaimer: > > > > > > > > Internet Systems Consortium (ISC) is providing this notice on > > > > an "AS IS" basis. No warranty or guarantee of any kind is expressed > > > > in this notice and none should be implied. ISC expressly excludes > > > > and disclaims any warranties regarding this notice or materials > > > > referred to in this notice, including, without limitation, any > > > > implied warranty of merchantability, fitness for a particular > > > > purpose, absence of hidden defects, or of non-infringement. Your > > > > use or reliance on this notice or materials referred to in this > > > > notice is at your own risk. ISC may change this notice at any > > > > time. A stand-alone copy or paraphrase of the text of this > > > > document that omits the document URL is an uncontrolled copy. > > > > Uncontrolled copies may lack important information, be out of > > > > date, or contain factual errors. > > > > > > > > (c) 2001-2013 Internet Systems Consortium > > > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > -- > Adam Tkac, Red Hat, Inc. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
