Vigil@nce - BIND: denial of service via Additional Records
October 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use malicious Additional Resource Records, in
order to lockup a BIND server.
– Impacted products: Debian, Fedora, HP-UX, AIX, BIND, MES, Mandriva
Linux, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise
Desktop, SLES
– Severity: 2/4
– Creation date: 10/10/2012
DESCRIPTION OF THE VULNERABILITY
A DNS response contains Resource Records of different types:
– Question : question
– Answer : direct answer
– Authority : information on the authority
– Additional : additional information
The query_addadditional() function of the named/query.c file of
BIND adds additional information to a reply. However, if a name is
duplicated, an infinite loop occurs in the BIND service.
The origin of this duplicated name depends on the server type:
– recursive server: the name comes from the reply of an
authoritative server (this is the most probable attack
configuration)
– secondary authoritative server: the name comes from a zone
transfer from the primary
– primary authoritative server: the name comes from a loaded zone
file
An attacker can therefore use malicious Additional Resource
Records, in order to lockup a BIND server.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/BIND-denial-of-service-via-Additional-Records-12050