Bug 658974 (CVE-2010-3613)

Summary: CVE-2010-3613 bind: failure to clear existing RRSIG records when a NO DATA is negatively cached could DoS named
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: atkac, cwebster, jlieskov, mcermak, rphipps+bugzredhat, tomichi
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-22 15:33:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 658987, 658990, 659266, 659267, 659268, 659269, 659270, 663898, 663899    
Bug Blocks:    
Attachments:
Description Flags
Patch for 9.7.0
none
Patch
none
Complete testing data from the CVE-2010-3613 verification on RHEL6 none

Description Vincent Danen 2010-12-01 18:08:15 UTC 
A flaw in how BIND fails to clear existing RRSIG records when a NO DATA is negatively cached could cause subsequent lookups to crash named (INSIST) was reported [1].

The advisory states:

"Although the defect is very unlikely to be encountered in normal operation, if your recursive resolver is being used to query public Internet zones and you cannot readily restrict your client queries then there is the potential for a remote attacker to cause your nameserver to crash."

The INSIST crashes the server.  This vulnerability affects recursive nameservers irrespective of whether DNSSEC validation is enabled or disabled.

The upstream advisory [2] notes that this affects BIND versions 9.6.2 through 9.7.2-P2 and is corrected in 9.6.2-P3 and 9.7.2-P3.

[1] http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
[2] http://www.isc.org/software/bind/advisories/cve-2010-3613
Comment 1 Vincent Danen 2010-12-01 18:48:25 UTC 
Created bind tracking bugs for this issue

Affects: fedora-14 [bug 658987]
Affects: fedora-13 [bug 658990]
Comment 2 Tomas Hoger 2010-12-02 09:37:41 UTC 
Created attachment 464204 [details]
Patch for 9.7.0

Patch to fix CVE-2010-3613 and CVE-2010-3614 in bind 9.7.0.  Extracted from Ubuntu update USN-1025-1.
Comment 4 Adam Tkac 2010-12-02 12:28:06 UTC 
Created attachment 464237 [details]
Patch
Comment 5 Richard Phipps 2010-12-02 19:54:33 UTC 
Does this also affect RHEL5's bind-9.3.6-4.P1.el5_4.2 ?
Comment 6 Adam Tkac 2010-12-03 08:29:36 UTC 
(In reply to comment #5)
> Does this also affect RHEL5's bind-9.3.6-4.P1.el5_4.2 ?

Yes, RHEL5's bind is also affected.
Comment 12 errata-xmlrpc 2010-12-13 17:48:34 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0975 https://rhn.redhat.com/errata/RHSA-2010-0975.html
Comment 13 errata-xmlrpc 2010-12-13 17:54:29 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0976 https://rhn.redhat.com/errata/RHSA-2010-0976.html
Comment 21 Calvin Webster 2010-12-17 21:23:16 UTC 
What about RHEL4? Red Hat CVE database does not mention whether bind-9.2.4-30.el4_8.5.i386.rpm is vulnerable to CVE-2010-3613 or CVE-2010-3614. 

Government systems must be patched or provide a vendor statement that RHEL4 is not affected.
Comment 22 Vincent Danen 2010-12-18 00:07:57 UTC 
Red Hat Enterprise Linux 4 is affected, but in a different way:

Main problem is the attacker can be owner of a nameserver of a certain public
domain and he can temporarily sign the domain via old and deprecated DNSSEC. In
this case he can use that domain to DoS BIND in the RHEL-4. Although it is
unlikely scenario (attacker has to control NS of some domain and has to have
recursive perms on the DoS-ed nameserver), it might happen.

We will be patching RHEL4.

As for CVE-2010-3614, a statement was made regarding that flaw's affects:

"There's no plan to address this low-impact flaw in Red Hat
Enterprise Linux 4, where bind does not implement support for currently used
DNSSEC protocol version." (https://bugzilla.redhat.com/show_bug.cgi?id=658977#c7)

I have made an official statement in that bug which will show up on the CVE pages.  Thank you for bringing that to our attention.
Comment 23 errata-xmlrpc 2010-12-20 18:38:13 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:1000 https://rhn.redhat.com/errata/RHSA-2010-1000.html