BIND 9 DNSSEC validation code could cause fake NXDOMAIN responses

2010-01-19T00:00:00
ID VU:360341
Type cert
Reporter CERT
Modified 2010-01-27T19:37:00

Description

Overview

A vulnerability exists in the BIND 9 DNSSEC validation code that could be used by an attacker to generate fake NXDOMAIN responses.

Description

BIND 9 contains a vulnerability in DNSSEC validation code. According to ISC:

_There was an error in the DNSSEC NSEC/NSEC3 validation code that could cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records proven by NSEC or NSEC3 to exist) to be cached as if they had validated correctly, so that future queries to the resolver would return the bogus NXDOMAIN with the AD flag set. _

This issue affects BIND versions 9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 -> 9.4.3-P4, 9.5.0 -> 9.5.2-P1, 9.6.0 -> 9.6.1-P2


Impact

An attacker may be able to add fake NXDOMAIN records to a resolver's cache.


Solution

Upgrade BIND to version 9.4.3-P5, 9.5.2-P2 or 9.6.1-P3.


Vendor Information

360341

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Fedora Project __ Affected

Notified: January 15, 2010 Updated: January 27, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Fedora has published more information regarding this issue:

<http://lists.fedoraproject.org/pipermail/package-announce/2010-January/034196.html>

Internet Systems Consortium __ Affected

Notified: January 15, 2010 Updated: January 19, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Please see <https://www.isc.org/advisories/CVE-2010-0097> for more information regarding the vulnerability.

Red Hat, Inc. __ Affected

Notified: January 15, 2010 Updated: January 27, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Red Hat has published more information regarding this issue:

<http://rhn.redhat.com/errata/RHSA-2010-0062.html>

Sun Microsystems, Inc. __ Affected

Notified: January 15, 2010 Updated: January 27, 2010

Statement Date: January 21, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Please see the following document for more information:

<http://sunsolve.sun.com/search/document.do?assetkey=1-66-275890-1>

The SCO Group Affected

Notified: January 15, 2010 Updated: January 27, 2010

Statement Date: January 18, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu __ Affected

Notified: January 15, 2010 Updated: January 27, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Ubuntu has published more information regarding this issue:

<http://www.ubuntu.com/usn/USN-888-1>

Alcatel-Lucent Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

BlueCat Networks, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Check Point Software Technologies Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ericsson Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GNU glibc Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gnu ADNS Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

McAfee Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Men & Mice Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nominum Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nortel Networks, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX Software Systems Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Shadowsupport Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 53 vendors View less vendors

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

<https://www.isc.org/advisories/CVE-2010-0097>

Acknowledgements

This issue was reported by ISC.

This document was written by David Warren.

Other Information

CVE IDs: | CVE-2010-0097
---|---
Date Public: | 2010-01-19
Date First Published: | 2010-01-19
Date Last Updated: | 2010-01-27 19:37 UTC
Document Revision: | 13