—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung des NetBSD Security Officers.
Wir geben diese Informationen unveraendert an Sie weiter.

CVE-2010-3613 – Schwachstelle im ISC BIND9 named

Der named aus dem ISC BIND9 Paket vor den Versionen 9.6.2-P3, 9.7.2-P3,
sowie 9.6-ESV-R3 behandelt wiederholte Abfragen nach unbekannten Zonen
nicht richtig. Bestehende RRSIG Eintraege werden nicht bereinigt wenn
ein ‘No DATA’ Eintrag im Cache gehalten wird, so dass nachfolgende
Abfragen (mit INSIST) den named zum Absturz bringen koennen. Ein
entfernter Angreifer kann diese Schwachstelle zu einem Denial-of-Service
ausnutzen.

Betroffen sind die folgenden Software Pakete und Plattformen:

bind vor den Versionen bind-9.7.2pl3 bzw. bind-9.6.2pl3

NetBSD-current: vor dem 2. Dezember 2010
NetBSD-5-1 branch: vor dem 10. Januar 2011
NetBSD-5-0 branch: vor dem 10. Januar 2011
NetBSD-5 branch: vor dem 6. Januar 2011
NetBSD-4-0 branch: vor dem 23. Januar 2011
NetBSD-4 branch: vor dem 23. Januar 2011

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Detlev O. Matthies

– —

Detlev O. Matthies, M.Sc. (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

NetBSD Security Advisory 2011-001
=================================

Topic: BIND DoS due to improper handling of RRSIG records

Version: NetBSD-current: affected prior to 20101203
NetBSD 5.1: affected prior to 20110111
NetBSD 5.0: affected prior to 20110111
NetBSD 4.0.*: affected prior to 20110124
NetBSD 4.0: affected prior to 20110124
pkgsrc: net/bind97 package prior to 20101203

Severity: Denial of Service

Fixed: NetBSD-current: Dec 2nd, 2010
NetBSD-5-1 branch: Jan 10th, 2011
NetBSD-5-0 branch: Jan 10th, 2011
NetBSD-5 branch: Jan 6th, 2011
NetBSD-4-0 branch: Jan 23rd, 2011
NetBSD-4 branch: Jan 23rd, 2011
pkgsrc net/bind97: bind-9.7.2pl3 corrects this issue
pkgsrc net/bind96: bind-9.6.2pl3 corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

Failure to clear existing RRSIG records when a NO DATA is negatively
cached could cause subsequent lookups to crash named.

This vulnerability has been assigned CVE-2010-3613 and CERT
Vulnerability Note VU#706148.

Technical Details
=================

Adding certain types of signed negative responses to the cache
doesn’t clear any matching RRSIG records already in the cache. A
subsequent lookup of the cached data can cause named to crash
(INSIST).

This vulnerability affects recursive nameservers irrespective of
whether DNSSEC validation is enabled or disabled. Exploitation
requires a DNS client authorized to use the nameserver for recursion
requesting information about a specially prepared zone not on the
same nameserver.

Solutions and Workarounds
=========================

We suggest fixing this vulnerability by using the current net/bind97
pkgsrc package instead of the in-system bind until the entire system
can be updated (eg to the next security/critical release, or a binary
snapshot from http://nyftp.netbsd.org/pub/NetBSD-daily/ from past the
fix date).

Thanks To
=========

Thanks to the Internet Systems Consortium for reporting this
vulnerability. Thanks to Christos Zoulas for fixing this issue in
– – -current. Thanks to Petra Zeidler for preparing the pullups to
fix this issue on the branches.

Revision History
================

2011-02-01 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-001.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2011-001.txt,v 1.1 2011/02/01 22:03:34 tonnerre Exp $

– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.11 (NetBSD)

iQIcBAEBAgAGBQJNSIjqAAoJEAZJc6xMSnBu3GQQAIiJ4rrAGtIuuJNdLJJMC0LB
3JhOG8c2+926KGQm+hZ90WDaKe8GxMie5GvXFHtX0ChvGtuVBQj18OAtwHjw1Dfh
j4erCmZF4KBNiK1IqUeQ1UM3DV3pT0zt/+uY/XzrCy/ppNK4tmY5+levWr/eMLpH
+utiNjvxU3/7cmChreypDbO8wkOABypCbELJBpJY1EgBFG+IZdlKVTKDWq0GRAnh
x+QQbJVpVAmzp5jwr99jJe66syqqE8za/giaFjwfeI6pSMNTsd9BjyOfu4KdlNQr
d4zvjeR/euFynwX4zq+pa6avgBxO+isJJPW/sDMfUN3+W9OctIm5/ghLzerxflo2
W+WdhtaoloBA5dmW/dI6HePZ8ht/Zb7p911BjxBDwKiTJ/Ae9uOjuuox89k8rvo6
wjJ/G9mlRAyAMhJyyEzhx0oaINVPH0rANYsGe5C+3DTB4mGiIsdwemNXC5MEd8gy
+Hj9d3GNB5wQlzEm6wxxnSsqcHJlJlr1wiDnxbQzvLi8e73FWjPvlD7vsHeiSxcT
wWOmu4HOoI4n0E3JE0JBUJJtHsn2RcNbvkj1Jk8txR7c0eL8TdI6MxRlmVzYaMi3
vpsIPxrzBdfZz9SernAbKPOBOzcoVKrMgo5Za+0Q4bOqw/rCrHzb3/MMtkDFN6Jp
JjIAmNPGq2EhJkk3gRmq
=WX9T
– —–END PGP SIGNATURE—–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)

iQEcBAEBAgAGBQJNSX7uAAoJEJtyb8U7iGZBcAsIAI/6IwflNEIDNRSjnc3I0fLc
/ldWjHJm1yVZ8mzOgfjVclm96Rivuu+zQFXSusxAoQ2wp/isFEedetK5Rg0hzSAN
LaV5WeeaWRjeQpk4edp0Hpvd+Y4wBttk7bdtoLd8ARH7u8NMz3TvpCxc0GQUXsHQ
CS5m4LgNufCjd/eRICal38KKFTet8E+iNQ6mn3r14hK8KmPqKKV6Yo3FCHDbop4h
VGPirWHjiYZUC8SgBQQYdFjr17JujDtkkPtqP3ZAoRa7J0eDJOrD7+WkFbYz1wSC
ROhHrnB6PJXyh4FqapNlBCRsGokkZ1n2CRVSFx6N8N6uchEWSGExDH7jKYyzD0g=
=EEno
—–END PGP SIGNATURE—–