[ISC Security Advisory] BIND 9 Resolver crashes after logging an error in query.c

[Peter Losher <plosher () isc org>]

BIND 9 Resolver crashes after logging an error in query.c

Summary: Organizations across the Internet reported crashes interrupting service on BIND 9 nameservers performing 
recursive queries. Affected servers crashed after logging an error in query.c with the following message: "INSIST(! 
dns_rdataset_isassociated(sigrdataset))" Multiple versions were reported being affected, including all currently 
supported release versions of ISC BIND 9. ISC is actively investigating the root cause and has produced patches which 
prevent the crash. Further information will be made available soon.

CVE: CVE-2011-4313
Document Version: 1.1
Document URL: http://www.isc.org/software/bind/advisories/cve-2011-4313 
Posting date: 16 Nov 2011
Program Impacted: BIND
Versions affected: All currently supported versions of BIND, 9.4-ESV, 9.6-ESV, 9.7.x, 9.8.x
Severity: Serious
Exploitable: Remotely

Description: 
An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which 
could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record 
with this particular inconsistency is cached.At this time we are making available a patch which makes named recover 
gracefully from the inconsistency, preventing the abnormal exit. 

The patch has two components. When a client query is handled, the code which processes the response to the client has 
to ask the cache for the records for the name that is being queried. The first component of the patch prevents the 
cache from returning the inconsistent data. The second component prevents named from crashing if it detects that it has 
been given an inconsistent answer of this nature.
 
CVSS Score: 7.8

CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C) 

Workarounds: 
No workarounds are known. The solution is to upgrade. Upgrade BIND to one of the following patched versions: BIND 
9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.4-ESV-R5-P1

Active exploits: 
Under investigation

Solution: 
Patches mitigating the issue are available at: 
https://www.isc.org/software/bind/981-p1
https://www.isc.org/software/bind/974-p1
https://www.isc.org/software/bind/96-esv-r5-p1
https://www.isc.org/software/bind/94-esv-r5-p1

ISC is receiving multiple reports and working with multiple customers on this issue. Please E-mail all questions, 
packet captures, and details to security-officer () isc org

We very much appreciate all reports received on this issue.

Related Documents: 
Do you have Questions? Questions regarding this advisory should go to security-officer () isc org.

ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found 
here: https://www.isc.org/security-vulnerability-disclosure-policy

Legal Disclaimer: 
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is 
expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this 
notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, 
fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this 
notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.
 
A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. 
Uncontrolled copies may lack important information, be out of date, or contain factual errors.

-- 
[ plosher () isc org | Senior Operations Architect | ISC | PGP E8048D08 ]