BIND DNS Nameserver, DNSSEC validation Vulnerability

2009-12-01T00:00:00
ID VU:418861
Type cert
Reporter CERT
Modified 2010-01-19T19:08:00

Description

Overview

A vulnerability exists in the way BIND 9 handles recursive client queries that may cause additional records to be added to its cache.

Description

BIND 9 contains a vulnerability in the way recursive client queries are handled. According to ISC:

_A nameserver with DNSSEC validation enabled may incorrectly add unauthenticated records to its cache that are received during the resolution of a recursive client query with checking disabled (CD), or when the nameserver internally triggers a query for missing records for recursive name resolution. Cached records can be returned in response to subsequent client queries with or without requesting DNSSEC records (DO). In addition, some of them can be returned to queries with or without checking disabled (CD). _

This issue affects BIND versions 9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 -> 9.4.3-P3, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.6.1-P1.


Impact

An attacker may be able to manipulate cache data and perform DNS Cache Poisoning.


Solution

Upgrade
BIND should be upgraded to version 9.4.3-P5, 9.5.2-P2 or 9.6.1-P3.


Disable DNSSEC Validation
According to ISC:
Disabling DNSSEC validation will also prevent incorrect caching of additional records due to this defect. However, this removes DNSSEC validation protection and the ability of the nameserver to deliver authenticated data in query responses.


Vendor Information

418861

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Internet Systems Consortium __ Affected

Notified: December 02, 2009 Updated: December 02, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Refer to <https://www.isc.org/node/504> for more information.

Alcatel-Lucent Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

BlueCat Networks, Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Check Point Software Technologies Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ericsson Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GNU glibc Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gnu ADNS Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

McAfee Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Men & Mice Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Metasolv Software, Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nixu Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nominum Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nortel Networks, Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX Software Systems Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Shadowsupport Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sun Microsystems, Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified: December 02, 2009 Updated: December 02, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 55 vendors View less vendors

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

<https://www.isc.org/node/504>

Acknowledgements

ISC credits Michael Sinatra, UC Berkeley with finding this issue.

This document was written by Chris Taschner.

Other Information

CVE IDs: | CVE-2009-4022
---|---
Date Public: | 2009-11-19
Date First Published: | 2009-12-01
Date Last Updated: | 2010-01-19 19:08 UTC
Document Revision: | 17