Jump to content


Photo

ISC BIND vulns/updates


  • Please log in to reply
46 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 January 2009 - 05:09 AM

FYI...

BIND 9.x security patch
- http://isc.sans.org/...ml?storyid=5641
Last Updated: 2009-01-08 02:00:56 UTC - ""The Internet Systems Consortium [ http://www.isc.org ] has released an update for all supported BIND 9.x versions today (2009-Jan-07) containing a security patch to address a potential DNS poisoning vector. *NOTE* This patch release does not appear to be an emergency situation requiring immediate updates for all... Patch deployment would appear most critical among recursive name resolvers. The flaw affects all actively developed and supported versions prior to and resolved with today's release of BIND 9.3.6-P1, 9.4.3-P1, 9.5.0-P2(-W2), 9.5.1-P1 and 9.6.0-P1... check with your vendor.
From the BIND "RELEASE NOTES" relative to each specific supported version:
"BIND 9.6.0-P1 is a SECURITY patch for BIND 9.6.0. It addresses a bug in which return values from some OpenSSL functions were left unchecked, making it theoretically possible to spoof answers from some signed zones."
ISC BIND Server software Index
https://www.isc.org/downloadables/11 ..."

> https://www.isc.org/node/373
7 January 2009

- http://web.nvd.nist....d=CVE-2009-0025
- http://web.nvd.nist....d=CVE-2008-5077

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 July 2009 - 04:12 AM

FYI...

BIND Dynamic Update DoS - update
- https://www.isc.org/node/474
CVE: CVE-2009-0696
CERT: http://www.kb.cert.org/vuls/id/725188
Posting date: 2009-07-28
Program Impacted: BIND
Versions affected: BIND 9 (all versions)
Severity: High
Exploitable: remotely
Summary: BIND denial of service (server crash) caused by receipt of a specific remote dynamic update message.
Description:
Urgent: this exploit is public. Please upgrade immediately.

Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert.
This vulnerability affects all servers that are masters for one or more zones – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround.
dns_db_findrdataset() fails when the prerequisite section of the dynamic update message contains a record of type “ANY” and where at least one RRset for this FQDN exists on the server.
db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
exiting (due to assertion failure).
Workarounds: None.
(Some sites may have firewalls that can be configured with packet filtering techniques to prevent nsupdate messages from reaching their nameservers.)

Active exploits: An active remote exploit is in wide circulation at this time.
Solution: Upgrade BIND to one of 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1. These versions can be downloaded from:
http://ftp.isc.org/i...9.6.1-P1.tar.gz
http://ftp.isc.org/i...9.5.1-P3.tar.gz
http://ftp.isc.org/i...9.4.3-P3.tar.gz ...
___

ISC BIND Dynamic Update Denial of Service Vuln
- http://secunia.com/advisories/36038/2/
Release Date: 2009-07-29
Critical: Moderately critical
Impact: DoS
Where: From remote
Solution Status: Vendor Patch ...

- http://www.us-cert.g...nsortium_bind_9
July 29, 2009

:ph34r:

Edited by apluswebmaster, 29 July 2009 - 08:42 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 November 2009 - 07:29 AM

FYI...

ISC BIND DNSSEC Cache Poisoning vuln - update available
- http://secunia.com/advisories/37426/2/
Release Date: 2009-11-25
Impact: Spoofing
Where: From remote
Solution Status: Vendor Patch
Software: ISC BIND 9.4.x, ISC BIND 9.5.x, ISC BIND 9.6.x ...
Solution: Update to version 9.4.3-P4, 9.5.2-P1, or 9.6.1-P2.
https://www.isc.org/downloadables/11
Original Advisory:
https://www.isc.org/node/504
CVE reference:
- http://web.nvd.nist....d=CVE-2009-4022
Last revised: 11/27/2009

- http://atlas.arbor.n...ndex#1385906170

:!: :ph34r:

Edited by apluswebmaster, 05 December 2009 - 06:09 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 December 2009 - 09:10 AM

FYI...

BIND name server updates - DNSSEC
- http://isc.sans.org/...ml?storyid=7750
Last Updated: 2009-12-15 13:47:50 UTC - "Over the first half of 2010, ICANN/IANA plan to sign the root zone [1]. The DNSSEC signature will use SHA256 hashes, which are not supported in older but common versions of BIND. If you run BIND 9.6.0 or 9.6.0P1, you may have issues with these signatures. The bug was fixed in BIND 9.6.1.
From the ISC.org mailing list:
"ISC has arranged for two test zones to be made available which are signed using the new algorithms which are listed in dlv.isc.org.
You can test whether you can successfully resolve these zones using the following queries.
dig rsasha256.island.dlvtest.dns-oarc.net soa
dig rsasha512.island.dlvtest.dns-oarc.net soa

[1] http://www.icann.org...-09oct08-en.htm
[2] https://www.isc.org/...are/bind/dnssec "

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 20 January 2010 - 03:54 AM

FYI...

BIND v9.6.1-P3 released
- http://isc.sans.org/...ml?storyid=8029
Last Updated: 2010-01-20 03:24:17 UTC - "Internet Systems Consortium (ISC) announced the release of the BIND 9.6.1-P3 security patch to address two cache poisoning vulnerabilities, "both of which could allow a validating recursive nameserver to cache data which had not been authenticated or was invalid."
- https://www.isc.org/...s/CVE-2010-0097
- https://www.isc.org/...CVE-2009-4022v6
You can download BIND 9.6.1-P3 from:
ftp://ftp.isc.org/isc/bind9/9.6.1-P3/bind-9.6.1-P3.tar.gz
ftp://ftp.isc.org/isc/bind9/9.6.1-P3/BIND9.6.1-P3.zip (binary kit for Windows XP/2003/2008)..."

- http://secunia.com/advisories/38219/2/
Release Date: 2010-01-20
Impact: Spoofing
Where: From remote
Solution Status: Vendor Patch
Software: ISC BIND 9.4.x, ISC BIND 9.5.x, ISC BIND 9.6.x
US-CERT VU#360341: http://www.kb.cert.org/vuls/id/360341

:ph34r:

Edited by apluswebmaster, 20 January 2010 - 04:32 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 March 2010 - 11:17 AM

FYI...

BIND v9.6.2 released
- http://isc.org/files...62.html#RELEASE

- http://isc.org/files....html#DOWNLOADS

Windows Download
- http://isc.org/softw...load/bind962zip

- http://isc.sans.org/...ml?storyid=8335
Last Updated: 2010-03-02 13:19:13 UTC

:ph34r:

Edited by apluswebmaster, 02 March 2010 - 11:24 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 December 2010 - 04:49 AM

FYI...

BIND vulns/updates released

Security Advisories
- http://www.isc.org/advisories/bind

- http://secunia.com/advisories/42374/
Release Date: 2010-12-02
Software: ISC BIND 9.6.x, ISC BIND 9.7.x
Original Advisory:
https://www.isc.org/...s/cve-2010-3613

- http://secunia.com/advisories/42435/
Release Date: 2010-12-02
Software: ISC BIND 9.4.x, ISC BIND 9.6.x, ISC BIND 9.7.x
Original Advisory:
https://www.isc.org/...s/cve-2010-3614

- http://secunia.com/advisories/42458/
Release Date: 2010-12-02
Software: ISC BIND 9.7.x
Original Advisory:
https://www.isc.org/...s/cve-2010-3615

- http://www.us-cert.g...vulnerabilities
December 2, 2010

- http://www.securityt....com/id?1024817
Dec 2 2010

:ph34r: :!:

Edited by AplusWebMaster, 03 December 2010 - 06:58 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 February 2011 - 02:34 PM

FYI...

BIND DoS vuln advisory - v9.7.1-9.7.2-P3
- http://www.isc.org/s...s/cve-2011-0414
22 Feb 2011
Versions affected: 9.7.1-9.7.2-P3
Severity: High
Exploitable: remotely
"... upgrade to BIND 9.7.3.... If you run BIND 9.6.x, 9.6-ESV-Rx, or 9.4-ESV-R4, you do not need to upgrade. BIND 9.5 is End of Life and is not supported by ISC. BIND 9.8 is -not- vulnerable..."

- http://www.isc.org/software/bind

- http://www.securityt....com/id/1025110
Feb 23 2011

- http://web.nvd.nist....d=CVE-2011-0414
Last revised: 02/23/2011

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 May 2011 - 04:47 AM

FYI...

BIND - DoS vuln - update available
- http://secunia.com/advisories/44416/
Release Date: 2011-05-06
Criticality level: Moderately critical
Impact: DoS
Where: From remote
Solution Status: Vendor Patch
Software: ISC BIND 9.8.x
CVE Reference: CVE-2011-1907
Solution: Update to version 9.8.0-P1 or higher.
Original Advisory: https://www.isc.org/CVE-2011-1907

- http://www.securityt....com/id/1025503
May 6 2011

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#10 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 May 2011 - 08:19 AM

FYI...

ISC BIND vuln...
- http://secunia.com/advisories/44719/
Release Date: 2011-05-27
Criticality level: Moderately critical
Impact: DoS
Where: From remote
Software: ISC BIND 9.4.x, 9.6.x, 9.7.x, 9.8.x
CVE Reference: CVE-2011-1910
Solution: Update to version 9.4-ESV-R4-P1 as soon as available or versions 9.6-ESV-R4-P1, 9.7.3-P1, and 9.8.0-P2.
Original Advisory: https://www.isc.org/...s/cve-2011-1910

:!:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#11 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 July 2011 - 10:17 AM

FYI...

ISC BIND - DoS vulns/updates
- http://web.nvd.nist....d=CVE-2011-2464
- http://web.nvd.nist....d=CVE-2011-2465

- http://secunia.com/advisories/45082/
Release Date: 2011-07-05
Criticality level: Moderately critical
Impact: DoS
Where: From remote ...
Software: ISC BIND 9.6.x, ISC BIND 9.7.x
Solution: Update to versions 9.6-ESV-R4-P3, 9.7.3-P3.
Original Advisory: http://www.isc.org/s...s/cve-2011-2464
Severity: High
- http://secunia.com/advisories/45185/
Release Date: 2011-07-05
Criticality level: Moderately critical
Impact: DoS
Where: From remote ...
Software: ISC BIND 9.8.x
Solution: Update to version 9.8.0-P4.
Original Advisory: http://www.isc.org/s...s/cve-2011-2465
Severity: High
- http://www.securityt....com/id/1025743
- http://www.securityt....com/id/1025742
Jul 5 2011
___

IBM AIX BIND - DNSSEC
- http://aix.software....9_advisory2.asc
Jul 15 2011
CVE Numbers:
- http://web.nvd.nist....d=CVE-2010-3613
- http://web.nvd.nist....d=CVE-2010-3614

:!: :ph34r:

Edited by AplusWebMaster, 18 July 2011 - 04:31 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#12 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 November 2011 - 07:39 AM

FYI...

BIND 9 updates released

- https://www.isc.org/...s/cve-2011-4313
5 December update... "... Workarounds:
The best solution is to upgrade. Upgrade BIND to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.4-ESV-R5-P1
5 December Update: For customers who are unable to migrate immediately to a patched version of BIND, there is now a mitigation strategy available. ISC continues to strongly recommend installing a patched version as the safest course of action, but if circumstances prevent you from doing so you can still reduce or eliminate your exposure to the CVE-2011-4313 vulnerability with a configuration option addition to named.conf.
Please see this Supplemental page* in our KnowledgeBase for full details of this workaround and other operational considerations...
* https://deepthought....rticle/AA-00549
Last Updated: 2011-12-05
• Authoritative-only servers are -not- vulnerable. Only servers acting in a recursive / resolving capacity are affected.
• Recursive servers are vulnerable if they query zones which you do not directly control (for example, if they query zones on the internet.)
• Resolving queries through a forwarder does not prevent exposure to this vulnerability.
• You are potentially vulnerable if you resolve queries for data provided by a third party. Examples could include addresses in email, html links in web pages, or queries submitted by users..."

* https://www.isc.org/...s/cve-2011-4313
16 November 2011 - "... reported crashes interrupting service on BIND 9 nameservers performing recursive queries. Affected servers crashed after logging an error in query.c with the following message: "INSIST(! dns_rdataset_isassociated(sigrdataset))" Multiple versions were reported being affected, including all currently supported release versions of ISC BIND 9...
CVE: CVE-2011-4313
Versions affected: All currently supported versions of BIND, 9.4-ESV, 9.6-ESV, 9.7.x, 9.8.x
Severity: Serious
Exploitable: Remotely ...
Workarounds: No workarounds are known. The solution is to upgrade. Upgrade BIND to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.4-ESV-R5-P1
Active exploits: Under investigation
Solution: Patches mitigating the issue are available at:
https://www.isc.org/...are/bind/981-p1
https://www.isc.org/...are/bind/974-p1
https://www.isc.org/...nd/96-esv-r5-p1
https://www.isc.org/...nd/94-esv-r5-p1 ...

- https://secunia.com/advisories/46887/
Last Update: 2011-11-17
Criticality level: Highly critical
Impact: DoS
Where: From remote
... vulnerability is reported in versions 9.4-ESV, 9.6-ESV, 9.7.x, 9.8.x.
Solution: Update to a fixed version or apply patch (please see the vendor's advisory* for details)....

- http://www.securityt....com/id/1026335
CVE Reference: http://web.nvd.nist....d=CVE-2011-4313
Date: Nov 17 2011
Impact: Denial of service via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 9.4-ESV, 9.6-ESV, 9.7.x, 9.8.x ...

- https://isc.sans.edu...l?storyid=12049
Last Updated: 2011-11-17 12:58:47 UTC

- http://h-online.com/-1380518
17 November 20111 - "... Update: Patches for Red Hat Enterprise Linux have been released; the advisories RHSA-2011:1458 and RHSA-2011:1459 contain further details."
- http://rhn.redhat.co...-2011-1458.html
- http://rhn.redhat.co...-2011-1459.html

- http://www.theregist...n_a_bind_again/
16th November 2011 22:17 GMT - "... apparently being exploited to attack networks, with multiple members of the BIND users email list from Germany, France and the US reporting simultaneous crashes across multiple servers..."

:!: :ph34r:

Edited by AplusWebMaster, 05 December 2011 - 10:03 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 November 2011 - 02:48 PM

FYI...

Oracle Solaris ISC-BIND vuln
- https://secunia.com/advisories/46984/
Release Date: 2011-11-24
Criticality level: Highly critical
Impact: DoS
Where: From remote
Operating System: Sun Solaris 10.x, 8, 9
CVE Reference: http://web.nvd.nist....d=CVE-2011-4313
CVSS v2 Base Score: 5.0 (MEDIUM)
Last revised: 12/01/2011
Solution: Apply patches.
Original Advisory: http://blogs.oracle...._4313_denial_of
Nov 29, 2011

Others: http://blogs.oracle.com/sunsecurity/
___

- https://www.isc.org/...s/cve-2011-4313
CVE: CVE-2011-4313
16 Nov 2011

:!: :ph34r:

Edited by AplusWebMaster, 01 December 2011 - 09:36 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 July 2012 - 02:46 PM

FYI...


BIND TCP Memory Leak ...
- http://www.securityt....com/id/1027297
CVE Reference: http://web.nvd.nist....d=CVE-2012-3868 - 4.3
Jul 25 2012
Version(s): 9.9.0 through 9.9.1-P1
Description: A vulnerability was reported in BIND. A remote user can cause denial of service conditions...
Impact: A remote user can cause performance degradation on the target system.
Solution: The vendor has issued a fix (9.9.1-P2).
The vendor's advisory is available at: https://kb.isc.org/article/AA-00730
Severity: High

BIND DNSSEC Validation Cache Failure ...
- http://www.securityt....com/id/1027296
CVE Reference: http://web.nvd.nist....d=CVE-2012-3817 - 7.8 (HIGH)
Jul 25 2012
Version(s): 9.6-ESV-R1 through 9.6-ESV-R7-P1; 9.7.1 through 9.7.6-P1; 9.8.0 through 9.8.3-P1; 9.9.0 through 9.9.1-P1
Description: A vulnerability was reported in BIND. A remote user can cause denial of service conditions...
Impact: A remote user can cause the target system to crash.
Solution: The vendor has issued a fix (9.9.1-P2, 9.8.3-P2, 9.7.6-P2, 9.6-ESV-R7-P2).
The vendor's advisory is available at: https://kb.isc.org/article/AA-00729
Severity: Critical

:!: :!:

Edited by AplusWebMaster, 26 July 2012 - 03:09 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 September 2012 - 08:50 AM

FYI...

ISC BIND DoS vuln - update available
- http://www.securityt....com/id/1027529
Sep 13 2012
CVE Reference: http://web.nvd.nist....d=CVE-2012-4244 - 7.8 (HIGH)
Impact: Denial of service via network
Solution: The vendor has issued a fix (9.7.6-P3, 9.7.7, 9.6-ESV-R7-P3, 9.6-ESV-R8, 9.8.3-P3, 9.8.4, 9.9.1-P3, 9.9.2).
Description: ... A remote user can cause denial of service conditions.
The vendor's advisory is available at:
https://kb.isc.org/article/AA-00778/74
Severity: Critical

- https://secunia.com/advisories/50610/
Release Date: 2012-09-13
Criticality level: Moderately critical
Impact: DoS
Where: From remote...
___

- https://www.isc.org/...security/matrix

:!: :ph34r:

Edited by AplusWebMaster, 14 September 2012 - 09:41 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#16 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 10 October 2012 - 09:29 AM

FYI...

BIND DNS server vuln...
- http://h-online.com/-1727232
10 Oct 2012 - "The Internet Systems Consortium (ISC) is warning users of a critical vulnerability in the free BIND DNS server that can be exploited by an attacker to cause a denial-of-service (DoS) condition. According to the ISC, the security issue (CVE-2012-5166*) is caused by a problem when processing a specially crafted combination of resource records (RDATA). When loaded, this data can cause a name server to lock up. The ISC says that, when this happens, normal functionality can only be restored by terminating and restarting the named daemon. Affected versions include 9.2.x to 9.6.x, 9.4-ESV to 9.4-ESV-R5-P1, 9.6-ESV to 9.6-ESV-R7-P3, 9.7.0 to 9.7.6-P3, 9.8.0 to 9.8.3-P3 and 9.9.0 to 9.9.1-P3. The ISC notes that while versions 9.2, 9.3, 9.4 and 9.5 of BIND are vulnerable, these branches are considered to be "end of life" (EOL) and are no longer updated. Upgrading to 9.7.7, 9.7.6-P4, 9.6-ESV-R8, 9.6-ESV-R7-P4, 9.8.4, 9.8.3-P4, 9.9.2 or 9.9.1-P4 corrects the problem. Alternatively, as a workaround, users can set the "minimal-responses" option to "yes" in order to prevent the lockup. The ISC says that it currently knows of no active exploits. The new releases are available from the ISC's downloads page**; all users are advised to update to the latest versions."

* https://kb.isc.org/article/AA-00801
Last Updated: 2012-10-09
- https://www.isc.org/...s/cve-2012-5166

** https://www.isc.org/downloads/all

> https://www.isc.org/...security/matrix
___

- http://www.securityt....com/id/1027642
CVE Reference: http://web.nvd.nist....d=CVE-2012-5166 - 7.8 (HIGH)
Oct 11 2012
Solution: The vendor has issued a fix (9.6-ESV-R8, 9.6-ESV-R7-P4, 9.7.7, 9.7.6-P4, 9.8.4, 9.8.3-P4, 9.9.2, 9.9.1-P4).
The vendor's advisory is available at: https://kb.isc.org/article/AA-00801

- https://secunia.com/advisories/50878/
Release Date: 2012-10-10
Criticality level: Moderately critical
Impact: DoS
Where: From remote...
CVE Reference: CVE-2012-5166
Solution: Update to a fixed release... see the vendor's advisory for details.
Original Advisory: https://kb.isc.org/article/AA-00801

:ph34r:

Edited by AplusWebMaster, 15 October 2012 - 05:56 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#17 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 December 2012 - 08:22 AM

FYI...

ISC BIND 9.8.4-P1, 9.9.2-P1 released
- https://secunia.com/advisories/51484/
Release Date: 2012-12-05
Criticality level: Moderately critical
Impact: DoS
Where: From remote...
Software: ISC BIND 9.8.x, ISC BIND 9.9.x
CVE Reference: http://web.nvd.nist....d=CVE-2012-5688 - 7.8 (HIGH)
... vulnerability is reported in versions 9.8.0 through 9.8.4 and 9.9.0 through 9.9.2.
Solution: Update to version 9.8.4-P1 or 9.9.2-P1.
Original Advisory:
https://www.isc.org/...s/cve-2012-5688
Severity: Critical
https://kb.isc.org/article/AA-00828
https://kb.isc.org/article/AA-00829
Last Updated: 2012-12-04

- http://www.securityt....com/id/1027835
CVE Reference: CVE-2012-5688
Dec 5 2012
Impact: Denial of service via network
Version(s): 9.8.0 - 9.8.4, 9.9.0 - 9.9.2
Solution: The vendor has issued a fix (9.8.4-P1, 9.9.2-P1).

- https://isc.sans.edu...l?storyid=14641
Last Updated: 2012-12-05 13:07:56 UTC - "... The patch addresses -26- different bugs and/or security issues..."

> https://www.isc.org/downloads/all
___

- http://h-online.com/-1763332
6 Dec 2012

:!: Posted Image

Edited by AplusWebMaster, 23 December 2012 - 09:21 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#18 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 January 2013 - 05:38 AM

FYI...

ISC BIND DoS vuln
- https://secunia.com/advisories/51969/
Release Date: 2013-01-25
Criticality level: Moderately critical
Impact: DoS
Where: From remote
Software: ISC BIND 9.8.x, 9.9.x
CVE Reference: CVE-2012-5689
Original Advisory:
- https://www.isc.org/...s/cve-2012-5689
CVE: CVE-2012-5689
Document Version: 2.0
Posting date: 24 Jan 2013
Program Impacted: BIND
Versions affected: 9.8.0->9.8.4-P1, 9.9.0->9.9.2-P1
- https://kb.isc.org/article/AA-00855
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#19 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 March 2013 - 08:14 AM

FYI...

ISC BIND 9 - critical update
- https://secunia.com/advisories/52782/
Release Date: 2013-03-27
Criticality level: Moderately critical
Impact: DoS
Where: From remote
Software: ISC BIND 9.7.x, 9.8.x, 9.9.x
Solution: Apply patches or update to a fixed release (please see the vendor's advisory for details).
- https://kb.isc.org/article/AA-00871
2013-03-26 - "A critical defect in BIND 9 allows an attacker to cause excessive memory consumption in named or other programs linked to libdns..."
> https://www.isc.org/downloads/all

- https://web.nvd.nist...d=CVE-2013-2266 - 7.8 (HIGH)

- http://h-online.com/-1832816
29 March 2013

Ubuntu update for bind9
- https://secunia.com/advisories/52861/
Release Date: 2013-04-01
... more information: https://secunia.com/SA52782/
Solution: Apply updated packages.
Original Advisory: USN-1783-1: http://www.ubuntu.com/usn/usn-1783-1/

Debian update for bind9
- https://secunia.com/advisories/52810/
Release Date: 2013-04-01
... more information: https://secunia.com/SA52782/
Solution: Apply updated packages via the apt-get package manager.
Original Advisory: DSA-2656-1: http://www.debian.or...y/2013/dsa-2656
 

:ph34r:


Edited by AplusWebMaster, 01 April 2013 - 08:30 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#20 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 June 2013 - 03:17 AM

FYI..

ISC BIND9 - DoS vuln/fix
- https://secunia.com/advisories/53709/
Release Date: 2013-06-05
Criticality level: Moderately critical
Impact: DoS
Where: From remote ...
Software: ISC BIND 9.6.x, 9.8.x, 9.9.x
CVE Reference: https://web.nvd.nist...d=CVE-2013-3919 - 7.8 (HIGH)
... vulnerability is reported in versions 9.6-ESV-R9, 9.8.5, and 9.9.3.
Solution: Update to version 9.9.3-P1, 9.8.5-P1, or 9.6-ESV-R9-P1.
Original Advisory: ISC: https://kb.isc.org/article/AA-00967

> https://www.isc.org/downloads/all
___

- https://isc.sans.edu...l?storyid=15941
Last Updated: 2013-06-05 22:00:12 UTC
 

:ph34r:


Edited by AplusWebMaster, 15 June 2013 - 11:43 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#21 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 July 2013 - 06:40 PM

FYI...

ISC BIND 9 DoS vuln
- https://kb.isc.org/article/AA-01015
2013-07-26
Program Impacted: BIND
Versions affected: Open source: 9.7.0->9.7.7, 9.8.0->9.8.5-P1, 9.9.0->9.9.3-P1, 9.8.6b1 and 9.9.4b1; Subscription: 9.9.3-S1 and 9.9.4-S1b1
Severity: Critical
Exploitable: Remotely
Description: A specially crafted query that includes malformed rdata can cause named to terminate with an assertion failure while rejecting the malformed query.
BIND 9.6 and BIND 9.6-ESV are unaffected by this problem.  Earlier branches of BIND 9 are believed to be unaffected but have not been tested. BIND 10 is also unaffected by this issue.
Please Note: All versions of BIND 9.7 are known to be affected, but these branches are beyond their "end of life" (EOL) and no longer receive testing or security fixes from ISC. For current information on which versions are actively supported, please see

http://www.isc.org/d...oftware-status/
Impact: Authoritative and recursive servers are equally vulnerable. Intentional exploitation of this condition can cause a denial of service in all nameservers running affected versions of BIND 9. Access Control Lists do not provide any protection from malicious clients. In addition to the named server, applications built using libraries from the affected source distributions may crash with assertion failures triggered in the same fashion...
CVSS Score: 7.8 ...
Workarounds: No known workarounds at this time.   
Active exploits: Crashes have been reported by multiple ISC customers. First observed in the wild on 26 July 2013.
Solution: Upgrade to the patched release most closely related to your current version of BIND.  Open source versions can all be downloaded from
- http://www.isc.org/downloads .Subscription version customers will be contacted directly by ISC Support regarding delivery.
    BIND 9 version 9.8.5-P2
    BIND 9 version 9.9.3-P2
    BIND 9 version 9.9.3-S1-P1 (Subscription version available via DNSco)..."

- https://secunia.com/advisories/54195/
Release Date: 2013-07-29
Criticality: Moderately Critical
CVE Reference: https://web.nvd.nist...d=CVE-2013-4854 - 7.8 (HIGH)
Note: This is currently being exploited in the wild.
... vulnerability is reported in versions 9.8.0 through 9.8.5-P1 and versions 9.9.0 through 9.9.3-P1.
Solution: Update to a fixed version.
Original Advisory:
https://kb.isc.org/article/AA-01015/0
https://kb.isc.org/article/AA-01016/

- http://www.securityt....com/id/1028838
CVE Reference: CVE-2013-4854
Jul 26 2013
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Solution: The vendor has issued a fix (9.8.5-P2, 9.9.3-P2, 9.9.3-S1-P1)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 31 July 2013 - 09:15 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#22 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 November 2013 - 12:35 PM

FYI...

BIND 9.6.x, 9.8.x, 9.9.x - updated
- https://kb.isc.org/article/AA-01062/
CVE: CVE-2013-6230
06 Nov 2013
Program Impacted: BIND
Versions affected:
Windows versions 9.6-ESV->9.6-ESV-R10, 9.8.0->9.8.6, 9.9.0->9.9.4; Subscription: 9.9.3-S1 and 9.9.4-S1. ONLY Windows servers are affected.
Severity: High, for Windows systems with a specific netmask value set.
Exploitable: Remotely ...

BIND 9 Security Vulnerability Matrix
- https://kb.isc.org/article/AA-00913/0
Last Updated: 2013-11-06

- https://secunia.com/advisories/55607/
Release Date: 2013-11-07
Where: From remote
Impact: Security Bypass
Software: ISC BIND 9.6.x, 9.8.x, 9.9.x
CVE Reference: CVE-2013-6230
Note: This security issue only affects ISC BIND running on Windows. The security issue is reported in versions prior to 9.9.4-P1, 9.8.6-P1, and 9.6-ESV-R10-P1.
Solution: Update to version 9.9.4-P1, 9.8.6-P1, or 9.6-ESV-R10-P1...
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#23 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 January 2014 - 04:55 PM

FYI...

ISC BIND 9 updates...
- http://www.securityt....com/id/1029589
CVE Reference: https://web.nvd.nist...d=CVE-2014-0591
Jan 13 2014
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.6.0.x -> 9.6-ESV-R10-P1, 9.7 (all versions), 9.8.0 -> 9.8.6-P1, 9.9.0 -> 9.9.4-P1
Description: A vulnerability was reported in ISC BIND. A remote user can cause denial of service conditions...
Solution: The vendor has issued a fix (9.6-ESV-R10-P2, 9.8.6-P2, 9.9.4-P2).
The vendor's advisory is available at:
- https://kb.isc.org/a...le/AA-01078/74/

- http://atlas.arbor.n...ndex#-889130097
Elevated Severity
16 Jan 2014
ISC has released patches for BIND that resolve a Denial of Service condition.
Source: http://www.securityfocus.com/bid/64801
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 16 January 2014 - 08:49 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#24 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 31 January 2014 - 12:37 PM

FYI...

ISC BIND 9 updates...

BIND 9.9.5
- https://kb.isc.org/a...ease-Notes.html
Last Updated: 2014-01-31
- https://web.nvd.nist...d=CVE-2013-6230 - 6.8
- https://web.nvd.nist...d=CVE-2014-0591 - 2.6

BIND 9.8.7
- https://kb.isc.org/a...ease-Notes.html
Last Updated: 2014-01-31

BIND 9.6-ESV-R11
- https://kb.isc.org/a...ease-Notes.html
Last Updated: 2014-01-31

- https://www.isc.org/downloads/
 

:!:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#25 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 09 May 2014 - 12:39 AM

FYI...

ISC BIND 9.10.0-P1
- http://www.securityt....com/id/1030214
CVE Reference: https://web.nvd.nist...d=CVE-2014-3214 - 5.0
May 9 2014
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.10.0 ...
Impact: A remote user can cause the target nameserver to crash.
Solution: The vendor has issued a fix (9.10.0-P1)...
The vendor's advisory is available at:
- https://kb.isc.org/article/AA-01161
8 May 2014
BIND Versions affected: 9.10.0
Severity: High
Release Notes:
- https://kb.isc.org/a...ease-Notes.html
 

:ph34r:


Edited by AplusWebMaster, 09 May 2014 - 01:21 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#26 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 June 2014 - 05:45 AM

FYI...

ISC BIND EDNS Option Processing Flaw ...
- http://www.securityt....com/id/1030414
CVE Reference: https://web.nvd.nist...d=CVE-2014-3859 - 5.0
Jun 12 2014
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.10.0, 9.10.0-P1 ...
Solution: The vendor has issued a fix (9.10.0-P2).
The vendor's advisory is available at:
- https://kb.isc.org/a...processing.html
 

:ph34r:


Edited by AplusWebMaster, 13 June 2014 - 05:58 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#27 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 10 December 2014 - 11:28 AM

FYI...

ISC.org website hacked: Scan your PC for malware if you stopped by
Cryptographically signed BIND, DHCP code safe...
- http://www.theregist...isc_org_hacked/
26 Dec 2014 - "The website for the Internet Systems Consortium, which develops the BIND DNS and ISC DHCP tools, has been hacked. Anyone who recently browsed ISC.org is urged to check their PC for malware as miscreants booby-trapped the site to infect visitors. The website has been replaced by a placeholder page warning netizens of the attack. ISC.org served pages using WordPress, and either that CMS or one of its plugins or support files was exploited to compromise the web server...  the source code to ISC's crucial software packages are stored on a separate server, and cryptographically signed to prove they haven't been tampered with. Its BIND DNS server and DHCP tools are widely used on the internet, and included in most Linux and Unix-flavored operating systems... People visiting the .org are likely to be involved in engineering software and hardware behind the scenes of the web; compromising them with malware could give attackers access to valuable systems and possibly the tools to subvert them... According to a blog post by Cyphort Labs*, ISC was warned its website was serving malware on December 22; the site was scrubbed clean and replaced by a placeholder the next day. Miscreants had managed to exploit some part of the CMS to redirect visitors to a page serving the Angler Exploit Kit. This package attempts to infect Windows PCs using security holes in Internet Explorer, Flash and Silverlight..."
* http://www.cyphort.c...c-org-infected/
___

ISC BIND 9 - CVE-2014-8500: A Defect in Delegation Handling Can Be Exploited to Crash BIND
- https://kb.isc.org/a...4/CVE-2014-8500
8 Dec 2014
CVE: https://web.nvd.nist...d=CVE-2014-8500
Program Impacted: BIND 9
Versions affected: 9.0.x -> 9.8.x, 9.9.0 -> 9.9.6, 9.10.0 -> 9.10.1
Severity: Critical
Exploitable: Remotely
Description: By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND 9 uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation. This can lead to resource exhaustion and denial of service...
Impact: All recursive resolvers are affected. Authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone...
Workarounds: No workarounds exist. Vulnerable versions of BIND 9 should be upgraded.
Active exploits: No known active exploits...
Related Documents: See our BIND9 Security Vulnerability Matrix at:
- https://kb.isc.org/article/AA-00913for a complete listing of Security Vulnerabilities and versions affected...
Solution: Upgrade to the patched release most closely related to your current version of BIND.
Patched builds of currently supported branches of BIND (9.9 and 9.10) can be downloaded via - http://www.isc.org/downloads
    BIND 9 version 9.9.6-P1
    BIND 9 version 9.10.1-P1
Regarding older versions: BIND 9.6-ESV and BIND 9.8 have been officially designated "end of life" (EOL) and no longer receive support. All organizations running EOL branches should be planning transition to currently supported branches. However, due to the severity of this particular issue, source code diffs which can be applied to BIND 9.8 and BIND 9.6-ESV will be made available on request to:
 security-officer@isc.org

- http://www.securityt....com/id/1031311
CVE Reference: CVE-2014-8500
Dec 9 2014
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.0.x - 9.8.x, 9.9.0 - 9.9.6, 9.10.0 - 9.10.1
Solution: The vendor has issued a fix (9.9.6-P1, 9.10.1-P1)...
___

ISC BIND 9 - CVE-2014-8680: Defects in GeoIP features can cause BIND to crash
- https://kb.isc.org/a...4/CVE-2014-8680
8 Dec 2014
CVE: https://web.nvd.nist...d=CVE-2014-8680
Program Impacted: BIND 9
Versions affected: 9.10.0 -> 9.10.1 ...
Severity: High
Exploitable: Remotely
Description: Multiple errors have been identified in the GeoIP features added in BIND 9.10.  Two are capable of crashing BIND - triggering either can cause named to exit with an assertion failure, resulting in a denial of service condition. A third defect is also corrected, which could have caused GeoIP databases to not be loaded properly if their location was changed while BIND was running. Only servers built to include GeoIP functionality are affected.
Impact: The GeoIP features in BIND 9.10 are enabled by a compile-time option which is not selected by default. If you did not compile your BIND binary, or do not know whether you selected GeoIP features, you can test whether the functionality is compiled in by examining the output of the command "named -V" for "--with-geoip". Only servers which were compiled with GeoIP enabled can be affected by these defects. Servers which encounter either of the first two defects will terminate with an "assertion failure" error.
Workarounds:
Of the two errors, the first can occur with server binaries which were configured with GeoIP enabled if an IPv4 GeoIP database is loaded but no corresponding IPv6 database is found or if an IPv6 GeoIP database is loaded but no corresponding IPv4 database is found. This error can be avoided by ensuring that both IPv6 and IPv4 GeoIP databases are loaded.
A workaround for the second error is to disable IPv6 support by running named with the -4 option or configuring with "listen-on-v6 { none; };".
Upgrading to a patched version is recommended.
Active exploits: No known active exploits.
Solution: Upgrade to BIND 9.10.1-P1, which is available from http://www.isc.org/downloads

- http://www.securityt....com/id/1031312
CVE Reference: CVE-2014-8680
Dec 9 2014
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.10.0, 9.10.1 ...
Solution: The vendor has issued a fix (9.10.1-P1)...
 

:ph34r:  :ph34r:


Edited by AplusWebMaster, 28 December 2014 - 10:49 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#28 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 February 2015 - 09:52 PM

FYI...

ISC BIND 9 - CVE-2015-1349: Trust Anchor Management
- https://kb.isc.org/article/AA-01235
18 Feb 2015
CVE: https://web.nvd.nist...d=CVE-2015-1349   - 5.4
Program Impacted: BIND
Versions affected: BIND 9.7.0 -> BIND 9.10.1-P1.  Also, b1 and rc1 development versions of the upcoming BIND maintenance releases (9.9.7b1 & rc1, 9.10.2b1 & rc1) are affected.
BIND versions 9.9.6, 9.9.6-P1, 9.10.1, and 9.10.1-P1 will terminate consistently with an assertion in zone.c, but previous affected versions may exhibit unpredictable behaviour, including server crashes, due to the use of an improperly initialized variable...
Workarounds: For a workaround, do not use "auto" for the dnssec-validation or dnssec-lookaside options and do not configure a managed-keys statement.  In order to do DNSSEC validation with this workaround one would have to configure an explicit trusted-keys statement with the appropriate keys.
Active exploits: No known active exploits.
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can be downloaded from:
- http://www.isc.org/downloads.
    BIND 9.9.6-P2
    BIND 9.10.1-P2
The issue is also fixed in the BIND development releases:
    BIND 9.9.7rc2
    BIND 9.10.2rc2 ...

- https://kb.isc.org/a...ity-Matrix.html

- https://kb.isc.org/c.../Release-Notes/
___

- http://www.securityt....com/id/1031763
CVE Reference: https://web.nvd.nist...d=CVE-2015-1349   - 5.4
Feb 18 2015

https://kb.isc.org/article/AA-01235
 

:ph34r:


Edited by AplusWebMaster, 05 May 2015 - 11:02 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#29 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 July 2015 - 01:01 PM

FYI...

BIND 9-version 9.9.7-P1, 9.10.2-P2 released
CVE-2015-4620: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating
> BIND9 > Security Advisories
- https://kb.isc.org/a...Validating.html
2015-07-07
Severity: Critical
Exploitable: Remotely
Description: A very uncommon combination of zone data has been found that triggers a bug in BIND, with the result that named will exit with a "REQUIRE" failure in name.c when validating the data returned in answer to a recursive query. This means that a recursive resolver that is performing DNSSEC validation can be deliberately stopped by an attacker who can cause the resolver to perform a query against a maliciously-constructed zone.
Impact: A recursive resolver that is performing DNSSEC validation can be deliberately terminated by any attacker who can cause a query to be performed against a maliciously constructed zone. This will result in a denial of service to clients who rely on that resolver. DNSSEC validation is only performed by a recursive resolver if it has "dnssec-validation auto;" in its configuration or if it has a root trust anchor defined and has "dnssec-validation yes;" set (either by accepting the default or via an explicitly set value of "yes".)  
By default ISC BIND recursive servers will not validate. (However, ISC defaults may have been changed by your distributor.)
CVSS Score: 7.8
Workarounds: Disabling DNSSEC validation prevents exploitation of this defect but is not generally recommended.  The recommended solution is to upgrade to a patched version...
Solution: Upgrade to the patched release most closely related to your current version of BIND:
  BIND 9 version 9.9.7-P1
  BIND 9 version 9.10.2-P2
BIND9 Security Vulnerability Matrix: https://kb.isc.org/article/AA-00913

> https://web.nvd.nist...d=CVE-2015-4620
Last revised: 07/08/2015
___

- http://www.securityt....com/id/1032799
CVE Reference: CVE-2015-4620
Jul 7 2015
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.7.1 - 9.7.7, 9.8.0 - 9.8.8, 9.9.0 - 9.9.7, 9.10.0 - 9.10.2-P1
Description: A vulnerability was reported in ISC BIND. A remote user can cause the target service to crash...
Solution: The vendor has issued a fix (9.9.7-P1, 9.10.2-P2).
 

:ph34r:


Edited by AplusWebMaster, 09 July 2015 - 06:13 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#30 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 July 2015 - 06:19 PM

FYI...

BIND9 Security Advisory - CVE-2015-5477: An error in handling TKEY queries ...
- https://kb.isc.org/article/AA-01272
2015-07-28 - "A deliberately constructed packet can exploit an error in the handling of queries for TKEY records, permitting denial of service.
CVE: CVE-2015-5477
Document Version: 2.0
Posting date: 28 July 2015
Program Impacted: BIND
Versions affected: 9.1.0 -> 9.8.x, 9.9.0->9.9.7-P1, 9.10.0->9.10.2-P2
Severity: Critical
Exploitable: Remotely
Description: An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit.
Impact: Both recursive and authoritative servers are vulnerable to this defect.  Additionally, exposure is not prevented by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling, before checks enforcing those boundaries.
All versions of BIND 9 from BIND 9.1.0 (inclusive) through BIND 9.9.7-P1 and BIND 9.10.2-P2 are vulnerable.
Operators should take steps to upgrade to a patched version as soon as possible.
CVSS Score: 7.8
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Workarounds: None.
Active exploits: None known.
Solution: Upgrade to the patched release most closely related to your current version of BIND.  These can be downloaded from:

- http://www.isc.org/downloads
    BIND 9 version 9.9.7-P2
    BIND 9 version 9.10.2-P3
___

- http://www.securityt....com/id/1033100
CVE Reference: CVE-2015-5477
Jul 29 2015
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.1.0 - 9.8.x, 9.9.0 - 9.9.7-P1, 9.10.0 - 9.10.2-P2 ...
Solution: The vendor has issued a fix (9.9.7-P2, 9.10.2-P3).
___

- http://www.infoworld...tware-flaw.html
Aug 3, 2015
> https://blog.sucuri....n-the-wild.html
Aug 2, 2015 - "... We can confirm that the attacks have begun... If you have not patched your DNS server, do it now.."
 

:ph34r:


Edited by AplusWebMaster, 03 August 2015 - 09:12 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#31 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 September 2015 - 05:42 AM

FYI...

CVE-2015-5986: An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c
- https://kb.isc.org/article/AA-01291/0
Last Updated: 2015-09-02
CVE: CVE-2015-5986
Document Version: 2.0
Program Impacted: BIND
Versions affected: 9.9.7 -> 9.9.7-P2, 9.10.2 -> 9.10.2-P3.
Severity: Critical
Exploitable: Remotely
Description: An incorrect boundary check in openpgpkey_61.c can cause named to terminate due to a REQUIRE assertion failure.  This defect can be deliberately exploited by an attacker who can provide a maliciously constructed response in answer to a query.
Impact: A server which encounters this error will terminate due to a REQUIRE assertion failure, resulting in denial of service to clients. Recursive servers are at greatest risk from this defect but some circumstances may exist in which the attack can be successfully exploited against an authoritative server. Servers should be upgraded to a fixed version.
Workarounds: No workarounds are known to exist.
Active exploits: None known.
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads.
    BIND 9 version 9.9.7-P3
    BIND 9 version 9.10.2-P4 ...

CVE-2015-5722: Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c
- https://kb.isc.org/article/AA-01287/0
Last Updated: 2015-09-02
CVE: CVE-2015-5722
Document Version: 2.0
Program Impacted: BIND
Versions affected: BIND 9.0.0 -> 9.8.8,  BIND 9.9.0 -> 9.9.7-P2, BIND 9.10.0 -> 9.10.2-P3
Severity: Critical
Exploitable: Remotely
Description: Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c.  It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key.
Impact: Recursive servers are at greatest risk but an authoritative server could be affected if an attacker controls a zone the server must query against to perform its zone service. Servers which are affected may terminate with an assertion failure, causing denial of service to all clients.
Workarounds: Servers which are not performing validation are not at risk from this defect (but are at increased risk from other types of DNS attack.)  ISC does not recommend disabling validation to deal with this issue; upgrading to a fixed version is the preferred solution.
Active exploits: None known
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads.
    BIND 9 version 9.9.7-P3
    BIND 9 version 9.10.2-P4 ...
___

- http://www.securityt....com/id/1033452
CVE Reference: CVE-2015-5722
Sep 2 2015
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.0.0 - 9.8.8, 9.9.0 - 9.9.7-P2, 9.10.0 - 9.10.2-P3
Description: A vulnerability was reported in BIND. A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.7-P3, 9.10.2-P4, 9.9.8rc1, 9.10.3rc1)...

- http://www.securityt....com/id/1033453
CVE Reference: CVE-2015-5986
Sep 2 2015
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.9.7 - 9.9.7-P2, 9.10.2 - 9.10.2-P3
Description: A vulnerability was reported in BIND. A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.7-P3, 9.10.2-P4, 9.9.8rc1, 9.10.3rc1)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 03 September 2015 - 06:32 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#32 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 September 2015 - 03:00 PM

FYI...

BIND 9.9.8-S1 Release Notes
- https://kb.isc.org/article/AA-01307
2015-09-16
Security Fixes:
• An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286]
• A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212]
• A specially crafted query could trigger an assertion failure in message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046]
• On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server.
This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795]
New Features...
Feature Changes...
Bug Fixes...
___

BIND 9.10.3 Release Notes
- https://kb.isc.org/article/AA-01306
2015-09-16
Security Fixes:
• An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286]
• A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212]
• A specially crafted query could trigger an assertion failure in message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046]
• On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server...
New Features...
Feature Changes...
Bug Fixes...

Downloads: https://www.isc.org/downloads/

Support Policy: https://www.isc.org/...support-policy/
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#33 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 December 2015 - 07:10 PM

FYI...

BIND9: Responses with a malformed class attribute can trigger an assertion failure
- https://kb.isc.org/article/AA-01317
15 Dec 2015
CVE: CVE-2015-8000
9.0.x -> 9.9.8, 9.10.0 -> 9.10.3
Severity: Critical
Exploitable: Remotely
Solution: Upgrade to the patched release most closely related to your current version of BIND. Public open-source branches can be downloaded from
> http://www.isc.org/downloads
    BIND 9 version 9.9.8-P2
    BIND 9 version 9.10.3-P2
BIND 9 Supported Preview edition is a feature preview version of BIND provided exclusively to ISC Support customers.
    BIND 9 version 9.9.8-S3 ...
Download: https://www.isc.org/downloads/
- http://www.securityt....com/id/1034418
CVE Reference: CVE-2015-8000
Dec 15 2015
Impact:  Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.0.x - 9.9.8, 9.10.0 - 9.10.3
Servers that perform recursive queries are affected.
Impact: A remote user can cause the target named service to crash.
Solution: The vendor has issued a fix (9.9.8-P2, 9.10.3-P2)...
___

BIND9: A race condition when handling socket errors can lead to an assertion failure in resolver.c
- https://kb.isc.org/article/AA-01319
15 Dec 2015
CVE: CVE-2015-8461
Program Impacted: BIND
Versions affected: 9.9.8 -> 9.9.8-P1, 9.9.8-S1 -> 9.9.8-S2, 9.10.3 -> 9.10.3-P1
Solution: Upgrade to the patched release most closely related to your current version of BIND. Public open-source branches can be downloaded from
> http://www.isc.org/downloads
    BIND 9 version 9.9.8-P2
    BIND 9 version 9.10.3-P2 ...
Download: https://www.isc.org/downloads/
- http://www.securityt....com/id/1034419
CVE Reference: CVE-2015-8461
Dec 15 2015
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.9.8 - 9.9.8-P1, 9.9.8-S1 - 9.9.8-S2, 9.10.3 - 9.10.3-P1
Impact: A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.8-P2, 9.10.3-P2)...
___

- https://www.us-cert....ty-Updates-BIND
15 Dec 2015
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 15 December 2015 - 07:45 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#34 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 January 2016 - 05:53 AM

FYI...

ISC DHCP v4.1-ESV-R12-P1, v4.3.3-P1 released
- https://kb.isc.org/article/AA-01334
2016-01-12
CVE-2015-8605: UDP payload length not properly checked
Program Impacted: DHCP
Versions affected: 4.0.x, 4.1.x, 4.2.x, 4.1-ESV -> 4.1-ESV-R12, 4.3.0->4.3.3.  3.x may also be affected but has not been tested.
Severity: Medium
Exploitable: From adjacent networks
Description: A badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally.
Impact: Nearly all IPv4 DHCP clients and relays, and most IPv4 DHCP servers are potentially affected...
Solution:  Upgrade to the patched release most closely related to your current version of DHCP. These can all be downloaded from
- http://www.isc.org/downloads.
    DHCP version 4.1-ESV-R12-P1
    DHCP version 4.3.3-P1
- https://cve.mitre.or...e=CVE-2015-8605

- https://www.us-cert....ecurity-Updates
Jan 12, 2016
___

- http://www.securityt....com/id/1034657
CVE Reference: CVE-2015-8605
Jan 13 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0.x, 4.1.x, 4.2.x, 4.1-ESV - 4.1-ESV-R12, 4.3.0 - 4.3.3
Impact: A remote user on the local network can cause the target client, relay, or server to crash.
Solution: The vendor has issued a fix (4.1-ESV-R12-P1, 4.3.3-P1)...
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#35 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 January 2016 - 10:37 PM

FYI...

ISC BIND updates

Specific APL data could trigger an INSIST in apl_42.c
- https://kb.isc.org/article/AA-01335
2016-01-19
CVE-2015-8704
Program Impacted: BIND
Versions affected: 9.3.0->9.8.8, 9.9.0->9.9.8-P2, 9.9.3-S1->9.9.8-S3, 9.10.0->9.10.3-P2
Severity: High
Exploitable: Remotely
Description: A buffer size check used to guard against overflow could cause named to exit with an INSIST failure In apl_42.c.
Impact: A server could exit due to an INSIST failure in apl_42.c when performing certain string formatting operations.  Examples include (but may not be limited to):
- Slaves using text-format db files could be vulnerable if receiving a malformed record in a zone transfer from their master.
- Masters using text-format db files could be vulnerable if they accept a malformed record in a DDNS update message.
- Recursive resolvers are potentially vulnerable when debug logging, if they are fed a deliberately malformed record by a malicious server.
- A server which has cached a specially constructed record could encounter this condition while performing 'rndc dumpdb'.
Please Note: Versions of BIND from 9.3 through 9.8 are also affected, but these branches are beyond their "end of life" (EOL) and no longer receive testing or security fixes from ISC. For current information on which versions are actively supported, please see
- http://www.isc.org/downloads/
CVSS Score: 6.8
___

Problems converting OPT resource records and ECS options to text format can cause BIND to terminate
- https://kb.isc.org/article/AA-01336
2016-01-19
BIND
Versions affected: 9.10.0->9.10.3-P2
Severity: Medium
Exploitable: Remotely
Description: In versions of BIND 9.10, errors can occur when OPT pseudo-RR data or ECS options are formatted to text. In 9.10.3 through 9.10.3-P2, the issue may result in a REQUIRE assertion failure in buffer.c. In prior 9.10 versions, it may result in named crashing (such as with a segmentation fault) or other misbehavior due to a buffer overrun.
Impact: This issue can affect both authoritative and recursive servers if they are performing debug logging. (It may also crash related tools which use the same code, such as dig or delv.)
Workarounds: CVE-2015-8705 can be avoided in named by disabling debug logging.
Active exploits: No known active exploits.
Solution:  Upgrade to the patched release most closely related to your current version of BIND.  
This can be downloaded from
- http://www.isc.org/downloads.
BIND 9 version 9.10.3-P3
CVSS Score: 5.4
___

- https://www.us-cert....ty-Updates-BIND
Jan 19, 2016

- http://www.securityt....com/id/1034740
CVE Reference: CVE-2015-8705
Jan 20 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.10.0 - 9.10.3-P2 ...
Impact: A remote user can cause the target 'named' service to crash.
Solution: The vendor has issued a fix (9.10.3-P3)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 05 February 2016 - 08:04 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#36 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 March 2016 - 06:38 AM

FYI...

DHCP inter-server communications and control channels can exhaust server resources
- https://kb.isc.org/article/AA-01354
Last Updated: 2016-03-08
CVE: CVE-2016-2774
Program Impacted: ISC DHCP
Versions affected: 4.1.0->4.1-ESV-R12-P1, 4.2.0->4.2.8, 4.3.0->4.3.3-P1.  Older versions may also be affected but are well beyond their end-of-life (EOL).  Releases prior to 4.1.0 have not been tested.
Severity: Medium
Exploitable: Remotely, if remote network connections to the DHCP server's control ports (e.g. OMAPI and failover) are permitted.
Description: In many cases, the ISC DHCP server does not effectively limit the number of simultaneous open TCP connections to the ports the server uses for inter-process communications and control.  Because of this, a malicious party could interfere with server operation by opening (and never closing) a large number of TCP connections to the server...
Solution: Mitigation code which will make this vulnerability harder to exploit will be added to the upcoming DHCP maintenance releases (DHCP 4.1-ESV-R13, DHCP 4.3.4, due to be released in March 2016.)
However, the strategies described in the "Workarounds" section of this document are effective and can prevent exploitation of the vulnerability.  Unless server operators have identified operational needs unique to their environment which conflict with this advice, ISC recommends blocking incoming TCP connections from untrusted hosts as a preferred strategy...
- http://www.securityt....com/id/1035196
CVE Reference: CVE-2016-2774
Mar 8 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.1.0 - 4.1-ESV-R12-P1, 4.2.0 - 4.2.8, 4.3.0 - 4.3.3-P1 ...
Impact: A remote user on the local network can cause the target DHCP service to become unresponsive or fail.
Solution: The vendor has issued a fix (4.1-ESV-R13, 4.3.4)...

 

- https://www.us-cert....tes-DHCP-Server
Mar 07, 2016
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 08 March 2016 - 06:39 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#37 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 10 March 2016 - 09:06 AM

FYI...

ISC BIND 9.10.3-P4, 9.9.8-P4, 9.9.8-S6 released

- https://kb.isc.org/article/AA-01351
9 March 2016
Versions affected: 9.10.0 -> 9.10.3-P3
Severity: High
Exploitable: Remotely ...
Active exploits: No known active exploits.
Solution: Re-configure and re-build BIND without enabling cookie support or upgrade to the patched release most closely related to your current version of BIND. BIND 9 version 9.10.3-P4
... please see:
- http://www.isc.org/downloads/

- https://kb.isc.org/article/AA-01352
9 March 2016
Versions affected: 9.2.0 -> 9.8.8, 9.9.0->9.9.8-P3, 9.9.3-S1->9.9.8-S5, 9.10.0->9.10.3-P3
Severity: High
Active exploits: No known active exploits.
Solution: Upgrade to the patched release most closely related to your current version of BIND.
    BIND 9 version 9.9.8-P4
    BIND 9 version 9.10.3-P4
BIND 9 Supported Preview edition is a feature preview version of BIND provided exclusively to eligible ISC Support customers.
    BIND 9 version 9.9.8-S6
... please see:
- http://www.isc.org/downloads/

- https://kb.isc.org/article/AA-01353
9 March 2016
Versions affected: 9.0.0 -> 9.8.8, 9.9.0 -> 9.9.8-P3, 9.9.3-S1 -> 9.9.8-S5,  9.10.0 -> 9.10.3-P3
Severity: High
Solution: Upgrade to the patched release most closely related to your current version of BIND:
    BIND 9 version 9.9.8-P4
    BIND 9 version 9.10.3-P4
BIND 9 Supported Preview edition is a feature preview version of BIND provided exclusively to eligible ISC Support customers.
    BIND 9 version 9.9.8-S6
... please see:
- http://www.isc.org/downloads/
___

> http://www.securityt....com/id/1035236
Solution: The vendor has issued a fix (9.9.8-P4, 9.10.3-P4)...

> http://www.securityt....com/id/1035237
Solution: The vendor has issued a fix (9.9.8-P4, 9.10.3-P4)...

> http://www.securityt....com/id/1035238
Solution: The vendor has issued a fix (9.10.3-P4)...
___

- https://www.us-cert....ty-Updates-BIND
March 09, 2016
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 11 March 2016 - 09:03 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#38 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 July 2016 - 12:51 PM

FYI...

BIND: CVE-2016-2775: A query name which is too long can cause a segmentation fault in lwresd
- https://kb.isc.org/a...4/CVE-2016-2775
Posting date: 18 July 2016
Program Impacted: BIND
Versions affected: 9.0.x -> 9.9.9-P1, 9.10.0->9.10.4-P1, 9.11.0a3->9.11.0b1
Severity: Medium
Exploitable: Remotely (if lwresd is configured to accept remote client connections)...
Impact: A server which is affected by this defect will terminate with a segmentation fault error, resulting in a denial of service to client programs attempting to resolve names.
CVSS Score: 5.4 if the server is configured to accept requests from the network...
Solution: Upgrade to the patched release most closely related to your current version of BIND.
These can be downloaded from:
> https://www.isc.org/downloads/

- http://www.securityt....com/id/1036360
CVE Reference: https://web.nvd.nist...d=CVE-2016-2775
Jul 19 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.0.x - 9.9.9-P1, 9.10.0 - 9.10.4-P1, 9.11.0a3 - 9.11.0b1 ...
Impact: A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.9-P2, 9.10.4-P2)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 20 July 2016 - 07:13 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#39 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 September 2016 - 03:30 AM

FYI...

BIND CVE-2016-2776: Assertion Failure in buffer.c While Building Responses...
- https://kb.isc.org/article/AA-01419/0
2016-09-27
Program Impacted: BIND
Versions affected: 9.0.x -> 9.8.x, 9.9.0->9.9.9-P2, 9.9.3-S1->9.9.9-S3, 9.10.0->9.10.4-P2, 9.11.0a1->9.11.0rc1
Severity: High
Exploitable: Remotely
Description: Testing by ISC has uncovered a critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isn't allowed to make queries (i.e. doesn't match 'allow-query').
Impact: All servers are vulnerable if they can receive request packets from any source.
CVSS Score: 7.8
Solution: Upgrade to the patched release most closely related to your current version of BIND.  These can all be downloaded from
- http://www.isc.org/downloads
    BIND 9 version 9.9.9-P3
    BIND 9 version 9.10.4-P3
    BIND 9 version 9.11.0rc3 "
___

- http://www.securityt....com/id/1036903
CVE Reference: CVE-2016-2776
Sep 27 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.0.x - 9.8.x, 9.9.0 - 9.9.9-P2, 9.9.3-S1 - 9.9.9-S3, 9.10.0 - 9.10.4-P2, 9.11.0a1 - 9.11.0rc1
Impact: A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.9-P3, 9.10.4-P3, 9.11.0rc3)...
___

- https://www.us-cert....ty-Updates-BIND
Sep 27, 2016
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#40 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 October 2016 - 06:37 AM

FYI...

CVE-2016-2848: A packet with malformed options can trigger an assertion failure in ISC BIND ...
- https://kb.isc.org/article/AA-01433
2016-10-20
Program Impacted: BIND
Versions affected: 9.1.0 -> 9.8.4-P2, 9.9.0 -> 9.9.2-P2
Severity: High
Exploitable: Remotely
Description: A packet with a malformed options section can be used to deliberately trigger an assertion failure affecting versions of BIND which do not contain change #3548, which was first included in ISC BIND 9 releases in May 2013.  Current ISC versions of BIND are safe from this vulnerability, but repackaged versions distributed by other parties may be vulnerable if they were forked from ISC's source before change #3548.
Impact: A server vulnerable to this defect can be forced to exit with an assertion failure if it receives a malformed packet. Authoritative and recursive servers are both vulnerable...
Solution: The vulnerability described in this security advisory was corrected by bug fixes which occurred during the normal course of BIND development and release versions of BIND published by ISC have been safe against this vulnerability since May 2013. However, versions which were released prior to that date, including some versions which have been used as the basis for installable packages by operating system vendors who maintain their own BIND versions, may be vulnerable.
The CHANGES file distributed with every version of BIND source contains a chronological list of source code changes in each branch's history. Safe versions of BIND contain fix #3548. If you did not receive source code with your distribution of BIND and cannot check CHANGES, check with the package provider who has furnished the BIND distribution you are using.  
Current versions of BIND available from ISC are confirmed to be free of the vulnerability. These can all be downloaded from:
- https://www.isc.org/downloads/
    BIND 9 version 9.9.9-P3
    BIND 9 version 9.10.4-P3
    BIND 9 version 9.11.0 ...
___

- http://www.securityt....com/id/1037073
CVE Reference: CVE-2016-2848
Oct 20 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 9.1.0 - 9.8.4, 9.9.0 - 9.9.2; [versions released prior to May 2013] ...
Impact: A remote user can cause the target 'named' service to crash.
Solution: The vendor issued a fix (9.9.9-P3, 9.10.4-P3, 9.11.0) [in May 2013]...
___

- https://www.us-cert....curity-Advisory
Oct 20 2016
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#41 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 November 2016 - 05:00 AM

FYI...

CVE-2016-8864: A problem handling responses containing a DNAME answer can lead to an assertion failure
- https://kb.isc.org/article/AA-01434/0
1 Nov 2016
BIND
Versions affected: 9.0.x -> 9.8.x, 9.9.0 -> 9.9.9-P3, 9.9.3-S1 -> 9.9.9-S5, 9.10.0 -> 9.10.4-P3, 9.11.0
Severity: High
Exploitable: Remotely
Description: A defect in BIND's handling of responses containing a DNAME answer can cause a resolver to exit after encountering an assertion failure in db.c or resolver.c
Impact: During processing of a recursive response that contains a DNAME record in the answer section, BIND can stop execution after encountering an assertion error in resolver.c (error message: "INSIST((valoptions & 0x0002U) != 0) failed") or db.c (error message: "REQUIRE(targetp != ((void *)0) && *targetp == ((void *)0)) failed").
A server encountering either of these error conditions will stop, resulting in denial of service to clients.  The risk to authoritative servers is minimal; recursive servers are chiefly at risk.
Solution:  Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads.
    BIND 9 version 9.9.9-P4
    BIND 9 version 9.10.4-P4
    BIND 9 version 9.11.0-P1 ...
___

- http://www.securityt....com/id/1037156
CVE Reference: CVE-2016-8864
Nov 1 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.0.x - 9.8.x, 9.9.0 - 9.9.9-P3, 9.9.3-S1 - 9.9.9-S5, 9.10.0 - 9.10.4-P3, 9.11.0
Impact: A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.9-P4, 9.10.4-P4, 9.11.0-P1)...
___

- https://www.us-cert....ty-Updates-BIND
Nov 1 2016
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#42 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 January 2017 - 04:08 AM

FYI...

BIND9 - Security Advisories

CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion
- https://kb.isc.org/article/AA-01439/0
2017-01-11
Versions affected:
9.4.0 -> 9.6-ESV-R11-W1, 9.8.5 -> 9.8.8, 9.9.3 -> 9.9.9-P4, 9.9.9-S1 -> 9.9.9-S6, 9.10.0 -> 9.10.4-P4, 9.11.0 -> 9.11.0-P1
Severity: High
Exploitable: Remotely...
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads.
    BIND 9 version 9.9.9-P5
    BIND 9 version 9.10.4-P5
    BIND 9 version 9.11.0-P2 ...
___

CVE-2016-9147: An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure
- https://kb.isc.org/article/AA-01440/0
2017-01-11
Versions affected:
9.9.9-P4, 9.9.9-S6, 9.10.4-P4, 9.11.0-P1
Severity: High
Exploitable: Remotely...
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads.
    BIND 9 version 9.9.9-P5
    BIND 9 version 9.10.4-P5
    BIND 9 version 9.11.0-P2 ...
___

CVE-2016-9444: An unusually-formed DS record response could cause an assertion failure
- https://kb.isc.org/article/AA-01441/0
2017-01-11
Versions affected:
9.6-ESV-R9 -> 9.6-ESV-R11-W1, 9.8.5 -> 9.8.8, 9.9.3 -> 9.9.9-P4, 9.9.9-S1 -> 9.9.9-S6, 9.10.0 -> 9.10.4-P4, 9.11.0 -> 9.11.0-P1
Severity: High
Exploitable: Remotely...
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads.
    BIND 9 version 9.9.9-P5
    BIND 9 version 9.10.4-P5
    BIND 9 version 9.11.0-P2 ...
___

CVE-2016-9778: An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c
- https://kb.isc.org/article/AA-01442/0
2017-01-11
Versions affected:
9.9.8-S1 -> 9.9.8-S3, 9.9.9-S1 -> 9.9.9-S6, 9.11.0-9.11.0 -> P1
Severity: High (for affected configurations)
Exploitable: Remotely...
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can be downloaded from:
- http://www.isc.org/downloads.
    BIND 9 version 9.11.0-P2
BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.
    BIND 9.9.9-S7 ...
___

- http://www.securityt....com/id/1037582
CVE Reference: CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2016-9778
Jan 12 2017
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Impact: A remote user can cause the target 'named' service to stop processing.
Solution: The vendor has issued a fix (9.9.9-P5, 9.10.4-P5, 9.11.0-P2)...
___

- https://www.us-cert....ty-Updates-BIND
Jan 11, 2017
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 12 January 2017 - 05:23 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#43 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 April 2017 - 03:25 AM

FYI...

CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;"
- https://kb.isc.org/a...4/CVE-2017-3136
12 April 2017
CVE-2017-3136
Program Impacted: BIND
Versions affected: 9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1, 9.9.3-S1 -> 9.9.9-S8
Severity: Medium, but only a risk to systems with specific configurations
Exploitable: Remotely
Description: A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate.
An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met.
Impact: Servers are at risk if they are configured to use DNS64 and if the option "break-dnssec yes;" is in use...
Workarounds: Servers which have configurations which require DNS64 and "break-dnssec yes;" should upgrade.  Servers which are not using these features in conjunction are not at risk from this defect.
Active exploits: No known active exploits.
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads
    BIND 9 version 9.9.9-P8
    BIND 9 version 9.10.4-P8
    BIND 9 version 9.11.0-P5 ...
___

CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
- https://kb.isc.org/a...4/CVE-2017-3137
12 April 2017
CVE-2017-3137
Program Impacted: BIND
Versions affected: 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0-P3, 9.11.1b1->9.11.1rc1, and 9.9.9-S8
Severity: High
Exploitable: Remotely
Description: Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order.
Impact: A server which is performing recursion can be forced to exit with an assertion failure if it can be caused to receive a response containing CNAME or DNAME resource records with certain ordering.  An attacker can cause a denial of service by exploiting this condition. Recursive resolvers are at highest risk but authoritative servers are theoretically vulnerable if they perform recursion...
Workarounds: None known.
Active exploits: No known active exploits.
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads
    BIND 9 version 9.9.9-P8
    BIND 9 version 9.10.4-P8
    BIND 9 version 9.11.0-P5 ...
___

CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel
- https://kb.isc.org/a...4/CVE-2017-3138
12 April 2017
CVE-2017-3138
Program Impacted: BIND
Versions affected: 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9
Severity: Medium
Exploitable: Remotely, from hosts that are within the ACL permitted access to the control channel
Description: named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc.
A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string.
Impact: The BIND control channel is not configured by default, but when configured will accept commands from those IP addresses that are specified in its access control list and/or from clients which present the proper transaction key.  Using this defect, an attacker can cause a running server to stop if they can get it to accept control channel input from them.  In most instances this is not as bad as it sounds, because existing commands permitted over the control channel (i.e. "rndc stop") can already be given to cause the server to stop.
However, BIND 9.11.0 introduced a new option to allow "read only" commands over the command channel.  Using this restriction, a server can be configured to limit specified clients to giving control channel commands which return information only (e.g. "rndc status") without affecting the operational state of the server. The defect described in this advisory, however, is not properly stopped by the "read only" restriction, in essence permitting a privilege escalation allowing a client which should only be permitted the limited set of "read only" operations to cause the server to stop execution...
Workarounds: None.  However, in a properly configured server, access to the control channel should already be limited by either network ACLs, TSIG keys, or both.
Active exploits: No known active exploits
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads
    BIND 9 version 9.9.9-P8
    BIND 9 version 9.10.4-P8
    BIND 9 version 9.11.0-P5
BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.
    BIND 9 version 9.9.9-S10
New maintenance releases of BIND are also scheduled which contain the fix for this vulnerability.  In addition to the security releases listed above, fixes for this vulnerability are also included in these release candidate versions:
    BIND 9 version 9.9.10rc3
    BIND 9 version 9.10.5rc3
    BIND 9 version 9.11.1rc3 ...
___

- http://www.securityt....com/id/1038259
CVE Reference: CVE-2017-3136
Apr 13 2017
Impact: A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.9-P8, 9.10.4-P8, 9.11.0-P5)...

- http://www.securityt....com/id/1038258
CVE Reference: CVE-2017-3137
Apr 13 2017
Impact: A remote user can cause the target 'named' service to crash.
Solution: The vendor has issued a fix (9.9.9-P8, 9.10.4-P8, 9.11.0-P5)...

- http://www.securityt....com/id/1038260
CVE Reference: CVE-2017-3138
Apr 13 2017
Impact: A remote user on a host authorized by ACL can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.9-P8, 9.10.4-P8, 9.11.0-P5)...
___

- https://www.us-cert....ty-Updates-BIND
April 12, 2017
 

:ninja: :ninja: :ninja:


Edited by AplusWebMaster, 14 April 2017 - 05:02 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#44 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 June 2017 - 05:14 AM

FYI...

CVE-2017-3141: Windows service and uninstall paths are not quoted when BIND is installed
- https://kb.isc.org/a...4/CVE-2017-3141
2017-06-14
CVE: CVE-2017-3141
Document Version: 2.0
Posting date: 14 Jun 2017
Program Impacted: BIND
Versions affected: 9.2.6-P2->9.2.9, 9.3.2-P1->9.3.6, 9.4.0->9.8.8, 9.9.0->9.9.10, 9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, 9.10.5-S1
Severity: Critical
Exploitable: Locally
Description: The BIND installer on Windows uses an unquoted service path which can enable a local user to achieve privilege escalation if the host file system permissions allow this.
Impact: This vulnerability exists in the installer delivered with BIND for Windows and not within BIND itself.  Non-Windows builds and installations are unaffected.  A manual installation of BIND where the service path is quoted when added would not be at risk...
Workarounds: BIND installations on Windows are not at risk if the host file permissions prevent creation of a binary in a location where the service executor would run it instead of named.exe.
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads

- http://www.securityt....com/id/1038693
CVE Reference: CVE-2017-3141
Jun 15 2017
Version(s): 9.2.6-P2 - 9.2.9, 9.3.2-P1 - 9.3.6, 9.4.0 - 9.8.8, 9.9.0 - 9.9.10, 9.10.0 - 9.10.5, 9.11.0 - 9.11.1, 9.9.3-S1 - 9.9.10-S1, 9.10.5-S1
Impact: A local user can obtain elevated privileges on the target system.
Solution: The vendor has issued a fix (9.9.10-P1, 9.10.5-P1, 9.11.1-P1).
Vendor URL: https://kb.isc.org/a...4/CVE-2017-3141
___

CVE-2017-3140: An error processing RPZ rules can cause named to loop endlessly after handling a query
- https://kb.isc.org/a...4/CVE-2017-3140
2017-06-14
CVE: CVE-2017-3140
Document Version: 2.0
Posting date: 14 June 2017
Program Impacted: BIND
Versions affected: 9.9.10, 9.10.5, 9.11.0->9.11.1, 9.9.10-S1, 9.10.5-S1
Severity: Medium
Exploitable: Remotely
Description: If named is configured to use Response Policy Zones (RPZ) an error processing some rule types can lead to a condition where BIND will endlessly loop while handling a query.
Impact: A server is potentially vulnerable to degradation of service if
    the server is configured to use RPZ,
    the server uses NSDNAME or NSIP policy rules, and
    an attacker can cause the server to process a specific query
Successful exploitation of this condition will cause named to enter a state where it continues to loop while processing the query without ever reaching an end state. While in this state, named repeatedly queries the same sets of authoritative nameservers and this behavior will usually persist indefinitely beyond the normal client query processing timeout. By triggering this condition multiple times, an attacker could cause a deliberate and substantial degradation in service.
Operators of servers that meet the above conditions 1. and 2. may also accidentally encounter this defect during normal operation. It is for this reason that the decision was made to issue this advisory despite its low CVSS score...
 
- http://www.securityt....com/id/1038692
CVE Reference: CVE-2017-3140
Jun 15 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.9.10, 9.10.5, 9.11.0 - 9.11.1, 9.9.10-S1, 9.10.5-S1
Impact: A remote user can cause denial of service conditions.
Solution: The vendor has issued a fix (9.9.10-P1, 9.10.5-P1, 9.11.1-P1)...
- https://kb.isc.org/a...4/CVE-2017-3140
___

Operational Notification: LMDB integration problems with BIND 9.11.0 and 9.11.1
- https://kb.isc.org/article/AA-01497
2017-06-14
BIND 9.11.0 and 9.11.1 carries a number of integration problems with LMDB (liblmdb) that will be addressed in BIND 9.11.2.
Description: ISC will be releasing BIND 9.11.2 in July/August 2017 which will address integration issues with BIND's use of LMDB in BIND 9.11.0 and 9.11.1.  Until then, our recommendation is that LMDB be disabled.
Use of LMDB for the 'New Zone Database" (NZD) is a new feature in BIND 9.11, introduced in order to provide significant performance improvements during dynamic zone handling.  It is enabled by default when building BIND on a system that has liblmdb installed and some packagers of BIND 9.11 include this feature (along with the liblmdb dependency) in their distribution.
Impact: Problems that may be encountered on servers with LMDB enabled and "allow-new-zones yes;" include:
    Some new zones fail to persist following a restart, reload or reconfig
    Zone deletions are incomplete leading to anomalies on restart and/or when re-adding zones
    On a server that is started with the -u option, Issuing the commands "rndc reload" or "rndc reconfig" may result in named terminating unexpectedly
    A deadlock (hang) of named sometimes occurs during concurrent dynamic zone operations
Workarounds: If building BIND 9.11 in an environment with liblmdb available, ensure that the integration is explicitly disabled by building BIND with the configure option --without-lmdb.
    There are no run time options available to disable lmdb integration, therefore if you are running a pre-built (package) version of BIND 9.11.0 or 9.11.2 that provides LMDB integration along with installing liblmdb as a dependent package, we recommend contacting your provider to request an update.
Solution: BIND 9.11.2 will be published in July/August 2017. At that time it will become available for download from: http://www.isc.org/downloads/all
___

- https://www.us-cert....ty-Updates-BIND
June 15, 2017
 

:ninja: :ninja: :ninja:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#45 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 June 2017 - 03:55 AM

FYI...

CVE-2017-3143: An error in TSIG authentication can permit unauthorized dynamic updates
- https://kb.isc.org/article/AA-01503
2017-06-29
CVE: CVE-2017-3143
Document Version: 2.0
Posting date: 29 June 2017
Program Impacted: BIND
Versions affected: 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2
Severity: High
Exploitable: Remotely
Description: An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update.
Impact: A server that relies solely on TSIG keys with no other address-based ACL protection could be vulnerable to malicious zone content manipulation using this technique...
Workarounds: The effects of this vulnerability can be mitigated by using Access Control Lists (ACLs) that require both address range validation and use of TSIG authentication in conjunction.  For information on how to configure this type of compound authentication control, please see:
- https://kb.isc.org/a...s-and-keys.html
Administrators who have made use of named.conf option "update-policy local;" should refer to the Administrator Reference Manual (ARM) for details of the automatic update policy that will be established and to assess whether or not this conveys any additional risk to their server.  (Note that this option is not enabled by default).
Active exploits: No known active exploits but a similar issue was announced publicly on 23 June 2017 by another DNS server software provider.
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads.
    BIND 9 version 9.9.10-P2
    BIND 9 version 9.10.5-P2
    BIND 9 version 9.11.1-P2
BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.
    BIND 9 version 9.9.10-S3
    BIND 9 version 9.10.5-S3 ...

CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone transfers
- https://kb.isc.org/article/AA-01504
2017-06-29 ...

- http://www.securityt....com/id/1038809
CVE Reference: CVE-2017-3142, CVE-2017-3143
Jun 29 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.4.0 - 9.8.8, 9.9.0 - 9.9.10-P1, 9.10.0 - 9.10.5-P1, 9.11.0 - 9.11.1-P1, 9.9.3-S1 - 9.9.10-S2, 9.10.5-S1 - 9.10.5-S2
Description: Two vulnerabilities were reported in BIND. A remote user can bypass TSIG authentication to transfer a zone or modify zone contents...
Impact: A remote user can bypass authentication to transfer a zone or modify zone contents.
Solution: The vendor has issued a fix (9.9.10-P2, 9.10.5-P2, 9.11.1-P2).
The vendor advisories are available at:
- https://kb.isc.org/article/AA-01503
- https://kb.isc.org/article/AA-01504
 

:ninja: :ninja:


Edited by AplusWebMaster, 30 June 2017 - 03:55 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#46 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 January 2018 - 08:49 AM

FYI...

CVE-2017-3144: Failure to properly clean up closed OMAPI connections can exhaust available sockets
- https://kb.isc.org/article/AA-01541
Posting date: 16 Jan 2018
Program Impacted: DHCP
Versions affected: 4.1.0 to 4.1-ESV-R15, 4.2.0 to 4.2.8, 4.3.0 to 4.3.6.  
Older versions may also be affected but are well beyond their end-of-life (EOL).  
Releases prior to 4.1.0 have not been tested.
Severity: Medium
Exploitable: Remotely (if attackers are permitted access to a server's OMAPI control port)
Description: A vulnerability stemming from failure to properly clean up closed OMAPI connections can lead to exhaustion of the pool of socket descriptors available to the DHCP server.
Impact: By intentionally exploiting this vulnerability an attacker who is permitted to establish connections to the OMAPI control port can exhaust the pool of socket descriptors available to the DHCP server.
Once exhausted, the server will not accept additional connections, potentially denying access to legitimate connections from the server operator. While the server will continue to receive and service DHCP client requests, the operator can be blocked from the ability to use OMAPI to control server state, add new lease reservations, etc.
Workarounds: The recommended remedy is to disallow access to the OMAPI control port from unauthorized clients (in accordance with best practices for server operation).
Active exploits: None known.
Solution: ISC has written a patch which properly cleans up closed socket connections and will include it in future maintenance releases of ISC DHCP.  The patch is also available upon request (to security-officer@isc.org) to parties who want to incorporate it into their own code before the next ISC maintenance releases.  However, we do not plan to issue a special security patch release of DHCP to address this particular issue because we have concluded that the workaround of denying OMAPI connections from unauthorized client addresses should be sufficient in almost all cases and is a recommended best practice for server operation...
Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected.  (For current information on which versions are actively supported, please see:
- http://www.isc.org/downloads/
Last modified: January 16, 2018 at 1:01 pm
___

CVE-2017-3145: Improper fetch cleanup sequencing in the resolver can cause named to crash
- https://kb.isc.org/article/AA-01542
2018-01-16
Program Impacted: BIND
Versions affected: 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, 9.12.0a1 to 9.12.0rc1
Severity: High
Exploitable: Remotely
Description: BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named.
Impact: While this bug has existed in BIND since 9.0.0, there are no known code paths leading to it in ISC releases prior to those containing the fix for CVE-2017-3137.  Thus while all instances of BIND ought to be patched, only ISC versions [9.9.9-P8 to 9.9.11, 9.10.4-P8 to 9.10.6, 9.11.0-P5 to 9.11.2, 9.9.9-S10 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, and 9.12.0a1 to 9.12.0rc1] acting as DNSSEC validating resolvers are currently known to crash due to this bug.  The known crash is an assertion failure in netaddr.c...
Active exploits: No known active exploits but crashes due to this bug have been reported by multiple parties.
Solution: Upgrade to the patched release most closely related to your current version of BIND.  These can all be downloaded from:
- http://www.isc.org/downloads.
    BIND 9 version 9.9.11-P1
    BIND 9 version 9.10.6-P1
    BIND 9 version 9.11.2-P1
    BIND 9 version 9.12.0rc2
BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.
    BIND 9 version 9.9.11-S2
    BIND 9 version 9.10.6-S2
___

- https://www.security....com/id/1040195
CVE Reference: CVE-2017-3137, CVE-2017-3145
Jan 16 2018
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Impact: A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.11-P1, 9.10.6-P1, 9.11.2-P1, 9.12.0rc2).
The vendor advisory is available at: https://kb.isc.org/article/AA-01542
___

- https://www.security....com/id/1040194
CVE Reference: CVE-2017-3144
Jan 16 2018
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Version(s): 4.1.0 to 4.1-ESV-R15, 4.2.0 to 4.2.8, 4.3.0 to 4.3.6
Description: A vulnerability was reported in ISC DHCP. A remote user can consume excessive socket descriptors on the target system.
The system does not properly clean up closed OMAPI connections. A remote user can consume all available socket descriptors for the target DHCP service, preventing new connections and potentially blocking existing connections to the OMAPI service.
Systems that provide remote access to the OMAPI control port are affected.
Impact: A remote user can consume excessive socket descriptors on the target system.
Solution: The vendor has developed a patch, available upon request.
The patch will be included in a future maintenance release.
The vendor advisory is available at: https://kb.isc.org/a...0/CVE-2017-3144
___

- https://www.us-cert....ories-DHCP-BIND
Jan 16, 2018
___

- http://www.securityw...d-security-flaw
Jan 17, 2018
 

:ninja: :ninja:


Edited by AplusWebMaster, 17 January 2018 - 12:01 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#47 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 March 2018 - 02:15 PM

FYI...

CVE-2018-5734: A malformed request can trigger an assertion failure in badcache.c
- https://kb.isc.org/a...4/CVE-2018-5734
Posting date: 28 Feb 2018
Program Impacted: BIND
Versions affected: 9.10.5-S1 to 9.10.5-S4, 9.10.6-S1, 9.10.6-S2
Severity: High
Exploitable: Remotely
Description: While handling a particular type of malformed packet BIND erroneously selects a SERVFAIL rcode instead of a FORMERR rcode. If the receiving view has the SERVFAIL cache feature enabled, this can trigger an assertion failure in badcache.c when the request doesn't contain all of the expected information.
Impact: Servers running the affected versions (9.10.5-S1 to 9.10.5-S4, 9.10.6-S1, and 9.10.6-S2) are vulnerable if they allow recursion, unless the SERVFAIL cache is disabled for the receiving view...
Workarounds: Disabling the SERVFAIL cache with 'servfail-ttl 0;' will prevent taking the code path that leads to the assertion failure...
Solution: Upgrade to the patched release...
Related Documents: See our BIND9 Security Vulnerability Matrix at:
- https://kb.isc.org/article/AA-00913
___

CVE-2018-5732: A specially constructed response from a malicious server can cause a buffer overflow in dhclient
- https://kb.isc.org/a...5/CVE-2018-5732
Posting date: 28 February 2018
Program Impacted: DHCP
Versions affected: 4.1.0 -> 4.1-ESV-R15, 4.2.0 -> 4.2.8, 4.3.0 -> 4.3.6, 4.4.0
Severity: High
Exploitable: Remotely
Description: Failure to properly bounds check a buffer used for processing DHCP options allows a malicious server (or an entity masquerading as a server) to cause a buffer overflow (and resulting crash) in dhclient by sending a response containing a specially
options section.
Impact: Affected versions of dhclient should crash due to an out-of-bounds memory access if they receive and process a triggering response packet.  However, buffer overflow outcomes can vary by operating system and outcomes such as such as remote code execution may be possible in some circumstances.  Where they are present, operating system mitigation strategies such as address space layout randomization (ASLR) should make it difficult to leverage this vulnerability to achieve remote code execution but we can not rule it out as impossible.  The safest course is to patch dhclient so that the buffer overflow cannot occur...
Solution:  Upgrade to the patched release most closely related to your current version of DHCP.
    DHCP 4.1-ESV-R15-P1
    DHCP 4.3.6-P1
    DHCP 4.4.1
Knowledge Base article: https://kb.isc.org/article/AA-01565
___

- https://www.security....com/id/1040436
- https://www.security....com/id/1040437
- https://www.security....com/id/1040438

- https://www.us-cert....ories-DHCP-BIND
March 01, 2018
 

:ninja: :ninja:


Edited by AplusWebMaster, 02 March 2018 - 02:18 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of ASAP and UNITE
Support SpywareInfo Forum - click the button