ISC BIND denial of service vulnerability

Overview

A vulnerability in the BIND name server could allow a remote attacker to cause a denial of service against an affected system.

Description

The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC).

BIND version 9.4.0 contains a vulnerability in the way that the query_addsoa() function is called. A remote attacker with the ability to send a specific sequence of queries to a vulnerable system can cause the nameserver to exit. Note that recursion must be enabled on the nameserver for this vulnerability to be exposed.

---

Impact

A remote attacker may be able to cause the name server daemon to exit prematurely, thereby causing a denial of service for DNS operations.

---

Solution

Upgrade

Users who compile their own copies of the affected version of BIND (9.4.0) from the original ISC source code are encouraged to upgrade to BIND version 9.4.1 (or later), which includes a patch for this issue.

---

Workarounds

Disable Recursion
Users, particularly those who are not able to upgrade, are encouraged to disable recursion (‘recursion no;’ set in named.conf) if it is not required by their configuration.

---

Vendor Information

718460

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Internet Software Consortium __ Affected

Notified: April 30, 2007 Updated: May 02, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

ISC has published BIND version 9.4.1 to address this vulnerability. Users who compile their own versions of BIND from the original ISC source code are encouraged to upgrade to this version (or later) of the software.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23718460 Feedback>).

Mandriva, Inc. __ Affected

Notified: May 02, 2007 Updated: May 15, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Mandriva has published Mandriva Security Advisory MDKSA-2007:100 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23718460 Feedback>).

NetBSD __ Affected

Notified: May 02, 2007 Updated: July 03, 2007

Status

Affected

Vendor Statement

`No formal NetBSD release included BIND 9.4.0. However 9.4.0 was in CVS
HEAD sources for a little while before being updated to 9.4.1. We have
sent out a short note to anyone who might be running with 9.4.0:

[http://mail-index.netbsd.org/current-users/2007/07/01/0010.html`](<http://mail-index.netbsd.org/current-users/2007/07/01/0010.html&gt;)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc. __ Not Affected

Notified: May 02, 2007 Updated: May 15, 2007

Status

Not Affected

Vendor Statement

Please list Apple as not vulnerable to VU#718460. We do not currently ship BIND 9.4.0 in our products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc. __ Not Affected

Notified: May 02, 2007 Updated: May 09, 2007

Status

Not Affected

Vendor Statement

Our development team has reviewed this information and determined that there is no impact on NetWare and OES Linux DNS Servers.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux __ Not Affected

Notified: May 02, 2007 Updated: May 09, 2007

Status

Not Affected

Vendor Statement

Openwall GNU/*/Linux is not affected. We currently use BIND 9.3.4, not
the affected version 9.4.0.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc. __ Not Affected

Notified: May 02, 2007 Updated: May 03, 2007

Status

Not Affected

Vendor Statement

The newest version of BIND in any Slackware distribution is 9.3.4, so we are not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc. __ Not Affected

Notified: May 02, 2007 Updated: May 15, 2007

Status

Not Affected

Vendor Statement

This is to inform you that Sun Solaris is not affected by this issue since we
do not ship any of the BIND releases that are vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu __ Not Affected

Notified: May 02, 2007 Updated: May 03, 2007

Status

Not Affected

Vendor Statement

Ubuntu is unaffected. None of our releases contain BIND 9.4.0.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

BlueCat Networks, Inc. Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Check Point Software Technologies Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc. Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian GNU/Linux Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

EMC, Inc. (formerly Data General Corporation) Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc. Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

GNU glibc Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gentoo Linux Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gnu ADNS Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc. Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Infoblox Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Lucent Technologies Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Men & Mice Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Metasolv Software, Inc. Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nokia Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nortel Networks, Inc. Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc. Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc. Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Shadowsupport Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified: May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 52 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.isc.org/sw/bind/bind-security.php&gt;
• <http://secunia.com/advisories/25070/&gt;

Acknowledgements

Thanks to Mark Andrews of the Internet Systems Consortium (ISC) for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs:	CVE-2007-2241
Severity Metric:	6.90 Date Public: