Bug: BIND 9 Memory Exhaustion ( Ascii Version )

Search:
WLB2

BIND 9 Memory Exhaustion

Published / (Updated)
Credit
Risk
2013-03-28 / 2013-03-29
Matthew Horsfall
Medium
CWE
CVE
Local
Remote
CWE-399
CVE-2013-2266
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.8/10
6.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Complete

CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named

Author: ISC Support Reference Number: AA-00871 Views: 5456 Created: 2013-02-26 02:57 Last Updated: 2013-03-26 15:56 0
Rating/ Voters

A critical defect in BIND 9 allows an attacker to cause excessive memory consumption in named or other programs linked
to libdns.

CVE: CVE-2013-2266

Document Version: 2.0

Posting date: 26 March 2013

Program Impacted: BIND

Versions affected: "Unix" versions of BIND 9.7.x, 9.8.0 -> 9.8.5b1, 9.9.0 -> 9.9.3b1. (Windows
versions are not affected. Versions of BIND 9 prior to BIND 9.7.0 (including BIND 9.6-ESV) are not affected. BIND 10 is
not affected.)

Severity: Critical

Exploitable: Remotely

Description:

A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an
attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of
memory resources on the affected server. This condition can crash BIND 9 and will likely severely affect operation of
other programs running on the same machine.

Please Note: Versions of BIND 9.7 are beyond their "end of life" (EOL) and no longer receive testing or
security fixes from ISC. However, the re-compilation method described in the "Workarounds" section of this
document will prevent exploitation in BIND 9.7 as well as in currently supported versions.

For current information on which versions are actively supported, please see http://www.isc.org/software/bind/versions.

Additional information is available in the CVE-2013-2266 FAQ and Supplemental Information article in the ISC Knowledge
base, https://kb.isc.org/article/AA-00879.


Impact:

Intentional exploitation of this condition can cause denial of service in all authoritative and recursive nameservers
running affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0 through 9.8.5b1 (inclusive) and BIND 9.9.0
through BIND 9.9.3b1 (inclusive)]. Additionally, other services which run on the same physical machine as an affected
BIND server could be compromised as well through exhaustion of system memory.

Programs using the libdns library from affected versions of BIND are also potentially vulnerable to exploitation of this
bug if they can be forced to accept input which triggers the condition. Tools which are linked against libdns (e.g.
dig) should also be rebuilt or upgraded, even if named is not being used.

CVSS Score: 7.8

CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please
visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Workarounds:

Patched versions are available (see the "Solutions:" section below) or operators can prevent exploitation of
this bug in any affected version of BIND 9 by compiling without regular expression support.

Compilation without regular expression support:

BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1), and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered
completely safe from this bug by re-compiling the source with regular expression support disabled. In order to disable
inclusion of regular expression support:

After configuring BIND features as desired using the configure script in the top level source directory, manually
edit the "config.h" header file that was produced by the configure script.

Locate the line that reads "#define HAVE_REGEX_H 1" and replace the contents of that line with
"#undef HAVE_REGEX_H".
Run "make clean" to remove any previously compiled object files from the BIND 9 source directory, then
proceed to make and install BIND normally.

Active exploits:

No known active exploits.

Solution:

Compile BIND 9 without regular expression support as described in the "Workarounds" section of this advisory
or upgrade to the patched release most closely related to your current version of BIND. These can be downloaded from
http://www.isc.org/downloads/all.
BIND 9 version 9.8.4-P2
BIND 9 version 9.9.2-P2

Acknowledgements: ISC would like to thank Matthew Horsfall of Dyn, Inc. for discovering this bug and bringing it to our
attention.

References:

http://www.isc.org/software/bind/versions
http://seclists.org/fulldisclosure/2013/Mar/246
http://seclists.org/fulldisclosure/2013/Mar/252
https://kb.isc.org/article/AA-00879
http://www.isc.org/downloads/all

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version