BIND 9 DNSSEC validation code could cause fake NXDOMAIN responses

2010-01-19T00:00:00
ID VU:360341
Type cert
Reporter CERT
Modified 2010-01-27T19:37:00

Description

Overview

A vulnerability exists in the BIND 9 DNSSEC validation code that could be used by an attacker to generate fake NXDOMAIN responses.

Description

BIND 9 contains a vulnerability in DNSSEC validation code. According to ISC:

_There was an error in the DNSSEC NSEC/NSEC3 validation code that could cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records proven by NSEC or NSEC3 to exist) to be cached as if they had validated correctly, so that future queries to the resolver would return the bogus NXDOMAIN with the AD flag set. _

This issue affects BIND versions 9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 -> 9.4.3-P4, 9.5.0 -> 9.5.2-P1, 9.6.0 -> 9.6.1-P2


Impact

An attacker may be able to add fake NXDOMAIN records to a resolver's cache.


Solution

Upgrade BIND to version 9.4.3-P5, 9.5.2-P2 or 9.6.1-P3.


Vendor Information

360341

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

Fedora Project

Notified: January 15, 2010 Updated: January 27, 2010

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Fedora has published more information regarding this issue:

<http://lists.fedoraproject.org/pipermail/package-announce/2010-January/034196.html>

Internet Systems Consortium

Notified: January 15, 2010 Updated: January 19, 2010

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see <https://www.isc.org/advisories/CVE-2010-0097> for more information regarding the vulnerability.

Red Hat, Inc.

Notified: January 15, 2010 Updated: January 27, 2010

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Red Hat has published more information regarding this issue:

<http://rhn.redhat.com/errata/RHSA-2010-0062.html>

Sun Microsystems, Inc.

Notified: January 15, 2010 Updated: January 27, 2010

Statement Date: January 21, 2010

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see the following document for more information:

<http://sunsolve.sun.com/search/document.do?assetkey=1-66-275890-1>

__ The SCO Group

Notified: January 15, 2010 Updated: January 27, 2010

Statement Date: January 18, 2010

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu

Notified: January 15, 2010 Updated: January 27, 2010

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Ubuntu has published more information regarding this issue:

<http://www.ubuntu.com/usn/USN-888-1>

__ Alcatel-Lucent

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Apple Inc.

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ BlueCat Networks, Inc.

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Check Point Software Technologies

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Conectiva Inc.

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Cray Inc.

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Debian GNU/Linux

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ DragonFly BSD Project

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ EMC Corporation

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Engarde Secure Linux

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Ericsson

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ F5 Networks, Inc.

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ FreeBSD Project

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Fujitsu

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ GNU glibc

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Gentoo Linux

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Gnu ADNS

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Hewlett-Packard Company

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Hitachi

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ IBM Corporation

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ IBM Corporation (zseries)

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ IBM eServer

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Infoblox

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Juniper Networks, Inc.

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Mandriva S. A.

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ McAfee

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Men & Mice

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Microsoft Corporation

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ MontaVista Software, Inc.

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ NEC Corporation

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ NetBSD

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Nokia

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Nominum

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Nortel Networks, Inc.

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Novell, Inc.

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ OpenBSD

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Openwall GNU/*/Linux

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ QNX Software Systems Inc.

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ SUSE Linux

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ SafeNet

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Shadowsupport

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Silicon Graphics, Inc.

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Slackware Linux Inc.

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Sony Corporation

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Turbolinux

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Unisys

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Wind River Systems, Inc.

Notified: January 15, 2010 Updated: January 14, 2010

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

<https://www.isc.org/advisories/CVE-2010-0097>

Credit

This issue was reported by ISC

This document was written by David Warren.

Other Information

CVE IDs: | CVE-2010-0097
---|---
Date Public: | 2010-01-19
Date First Published: | 2010-01-19
Date Last Updated: | 2010-01-27 19:37 UTC
Document Revision: | 12