{"vuid":"VU#795694","idnumber":"795694","name":"ISC BIND named negative caching vulnerability","keywords":["isc","bind","named","negative cache","rrsig","rrsets"],"overview":"ISC BIND contains a vulnerability in the processing of large RRSIG RRsets included in a negative cache response.","clean_desc":"According to ISC: DNS systems use negative caching to improve DNS response time. This will keep a DNS resolver from repeatedly looking up domains that do not exist. Any NXDOMAIN or NODATA/NOERROR response will be put into the negative cache. The authority data will be cached along with the negative cache information. These authoritative “Start of Authority” (SOA) and NSEC/NSEC3 records prove the nonexistence of the requested name/type. In DNSSEC, all of these records are signed; this adds one additional RRSIG record, per DNSSEC key, for each record returned in the authority section of the response. In this vulnerability, very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check. The nature of this vulnerability would allow remote exploit. An attacker can set up a DNSSEC signed authoritative DNS server with large RRSIG RRsets to act as the trigger. The attacker would then find ways to query an organization’s caching resolvers for non-existent names in the domain served by the bad server, getting a response that would “trigger” the vulnerability. The attacker would require access to an organization’s caching resolvers; access to the resolvers can be direct (open resolvers), through malware (using a BOTNET to query negative caches), or through driving DNS resolution (a SPAM run that has a domain in the E-mail that will cause the client to perform a lookup).","impact":"A remote, unauthenticated attacker can cause the named daemon to crash creating a denial of service condition.","resolution":"Apply an update Users who obtain BIND from a third-party vendor, such as their operating system vendor, should see the vendor information portion of this document for a partial list of affected vendors. This vulnerability is addressed in ISC BIND versions 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 and 9.8.0-P2. Users of BIND from the original source distribution should upgrade to this version. See also http://www.isc.org/software/bind/advisories/cve-2011-1910","workarounds":"According to ISC: Restricting access to the DNS caching resolver infrastructure will provide partial mitigation. Active exploitation can be accomplished through malware or SPAM/Malvertizing actions that will force authorized clients to look up domains that would trigger this vulnerability.","sysaffected":"","thanks":"Thanks to Internet Systems Consortium for reporting this vulnerability.","author":"This document was written by Michael Orlando.","public":["h","t","t","p",":","/","/","w","w","w",".","i","s","c",".","o","r","g","/","s","o","f","t","w","a","r","e","/","b","i","n","d","/","a","d","v","i","s","o","r","i","e","s","/","c","v","e","-","2","0","1","1","-","1","9","1","0"],"cveids":["cve-2011-1910"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2011-05-27T12:06:15Z","publicdate":"2011-05-26T00:00:00Z","datefirstpublished":"2011-05-27T12:56:08Z","dateupdated":"2011-06-01T18:22:37Z","revision":12,"vrda_d1_directreport":"0","vrda_d1_population":"4","vrda_d1_impact":"3","cam_widelyknown":"3","cam_exploitation":"1","cam_internetinfrastructure":"19","cam_population":"17","cam_impact":"3","cam_easeofexploitation":"14","cam_attackeraccessrequired":"16","cam_scorecurrent":"4.9266","cam_scorecurrentwidelyknown":"8.568","cam_scorecurrentwidelyknownexploited":"12.6378","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":4.9266,"vulnote":null}