ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
Note: This email advisory is provided for your information. The most up to date advisory information will always be at: https://kb.isc.org/article/AA-00871 please use this URL for the most up to date advisory information. --- A critical defect in BIND 9 allows an attacker to cause excessive memory consumption in named or other programs linked to libdns. CVE: CVE-2013-2266 Document Version: 2.0 Posting date: 26 March 2013 Program Impacted: BIND Versions affected:"Unix" versions of BIND 9.7.x, 9.8.0 -> 9.8.5b1, 9.9.0 -> 9.9.3b1. (Windows versions are not affected. Versions of BIND 9 prior to BIND 9.7.0 (including BIND 9.6-ESV) are not affected. BIND 10 is not affected.) Severity: Critical Exploitable: Remotely Description: A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server. This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine. Please Note: Versions of BIND 9.7 are beyond their "end of life" (EOL) and no longer receive testing or security fixes from ISC. However, the re-compilation method described in the "Workarounds" section of this document will prevent exploitation in BIND 9.7 as well as in currently supported versions. For current information on which versions are actively supported, please seehttp://www.isc.org/software/bind/versions. Additional information is available in the CVE-2013-2266 FAQ and Supplemental Information article in the ISC Knowledge base, https://kb.isc.org/article/AA-00879. Impact: Intentional exploitation of this condition can cause denial of service in all authoritative and recursive nameservers running affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0 through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1 (inclusive)]. Additionally, other services which run on the same physical machine as an affected BIND server could be compromised as well through exhaustion of system memory. Programs using the libdns library from affected versions of BIND are also potentially vulnerable to exploitation of this bug if they can be forced to accept input which triggers the condition. Tools which are linked against libdns (e.g. dig) should also be rebuilt or upgraded, even if named is not being used. CVSS Score: 7.8 CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C) Workarounds: Patched versions are available (see the "Solutions:" section below) or operators can prevent exploitation of this bug in any affected version of BIND 9 by compiling without regular expression support. Compilation without regular expression support: BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1), and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely safe from this bug by re-compiling the source with regular expression support disabled. In order to disable inclusion of regular expression support: - After configuring BIND features as desired using the configure script in the top level source directory, manually edit the "config.h" header file that was produced by the configure script. - Locate the line that reads "#define HAVE_REGEX_H 1" and replace the contents of that line with "#undef HAVE_REGEX_H". - Run "make clean" to remove any previously compiled object files from the BIND 9 source directory, then proceed to make and install BIND normally. Active exploits: No known active exploits. Solution: Compile BIND 9 without regular expression support as described in the "Workarounds" section of this advisory or upgrade to the patched release most closely related to your current version of BIND. These can be downloaded fromhttp://www.isc.org/downloads/all. BIND 9 version 9.8.4-P2 BIND 9 version 9.9.2-P2 Acknowledgements: ISC would like to thank Matthew Horsfall of Dyn, Inc. for discovering this bug and bringing it to our attention. Document Revision History: 1.0 Phase One - Advance Notification, 11 March 2013 1.1 Phase Two & Three, 25 March 2013 2.0 Notification to Public (Phase Four), 26 March 2013 Related Documents: Japanese Translation:
Re: ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
Hello, if I understand correctly, this isn't issue in BIND itself but it is some memory leak in underlying regexp library (glibc in Linux case). Can you please clarify which exact flaw in glibc (or other regex implementation) makes BIND vulnerable to remote DoS? Is it already reported to regex library developers? Was it already fixed (and how)? I'm asking because from distribution point of view it's better to address this flaw directly in regex implementation which will automatically make BIND invulnerable. Thank you in advance for response. Regards, Adam On Tue, Mar 26, 2013 at 12:01:50PM -0400, ISC Support Staff wrote: > A critical defect in BIND 9 allows an attacker to cause excessive > > memory consumption in named or other programs linked to libdns. > > > > CVE: CVE-2013-2266 > > Document Version: 2.0 > > Posting date: 26 March 2013 > > Program Impacted: BIND > > Versions affected:"Unix" versions of BIND 9.7.x, 9.8.0 -> 9.8.5b1, > > 9.9.0 -> 9.9.3b1. (Windows versions are not > affected. > > Versions of BIND 9 prior to BIND 9.7.0 (including > > BIND 9.6-ESV) are not affected. BIND 10 is > > not affected.) > > Severity: Critical > > Exploitable: Remotely > > Description: > > > >A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled > >on Unix and related operating systems, allows an attacker to > >deliberately cause excessive memory consumption by the named > >process, potentially resulting in exhaustion of memory resources > >on the affected server. This condition can crash BIND 9 and > >will likely severely affect operation of other programs running > >on the same machine. > > > >Please Note: Versions of BIND 9.7 are beyond their "end of life" > >(EOL) and no longer receive testing or security fixes from ISC. > >However, the re-compilation method described in the "Workarounds" > >section of this document will prevent exploitation in BIND 9.7 > >as well as in currently supported versions. > > > >For current information on which versions are actively supported, > >please seehttp://www.isc.org/software/bind/versions. > > > >Additional information is available in the CVE-2013-2266 FAQ and > >Supplemental Information article in the ISC Knowledge base, > >https://kb.isc.org/article/AA-00879. > > > > Impact: > > > >Intentional exploitation of this condition can cause denial of > >service in all authoritative and recursive nameservers running > >affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0 > >through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1 > >(inclusive)]. Additionally, other services which run on the > >same physical machine as an affected BIND server could be > >compromised as well through exhaustion of system memory. > > > >Programs using the libdns library from affected versions of BIND > >are also potentially vulnerable to exploitation of this bug if > >they can be forced to accept input which triggers the condition. > >Tools which are linked against libdns (e.g. dig) should also be > >rebuilt or upgraded, even if named is not being used. > > > > CVSS Score: 7.8 > > > > CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C) > > > >For more information on the Common Vulnerability Scoring System > >and to obtain your specific environmental score please visit: > > > > http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C) > > > > Workarounds: > > > >Patched versions are available (see the "Solutions:" section > >below) or operators can prevent exploitation of this bug in any > >affected version of BIND 9 by compiling without regular expression > >support. > > > >Compilation without regular expression support: > > > > BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1), > > and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely > > safe from this bug by re-compiling the source with regular > > expression support disabled. In order to disable inclusion > > of regular expression support: > > > > - After configuring BIND features as desired using the configure > > script in the top level source directory, manually edit the > > "config.h" header file that was produced by the configure > > script. > > > > - Locate the line that reads "#define HAVE_REGEX_H 1" and > > replace the contents of that line with "#undef > > HAVE_REGEX_H". > > > > - Run "make clean" to remove any previously compiled object > > files from the BIND 9 source directory, then proceed to > > make and install BIND normally. > > > > Active exploits: >
RE: ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
I have a request for clarification: The workaround states to rebuild BIND with regexp support disabled. And I see new versions of BIND have been released. Are those versions just a rebuild with regexp support disabled? Or are they a more comprehensive fix? thanks. -- Jack Tavares From: bind-announce-bounces+j.tavares=f5@lists.isc.org [bind-announce-bounces+j.tavares=f5@lists.isc.org] on behalf of ISC Support Staff [support-st...@isc.org] Sent: Tuesday, March 26, 2013 09:02 To: bind-annou...@lists.isc.org Subject: ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named Note: This email advisory is provided for your information. The most up to date advisory information will always be at: https://kb.isc.org/article/AA-00871 please use this URL for the most up to date advisory information. --- A critical defect in BIND 9 allows an attacker to cause excessive memory consumption in named or other programs linked to libdns. CVE: CVE-2013-2266 Document Version: 2.0 Posting date: 26 March 2013 Program Impacted: BIND Versions affected:"Unix" versions of BIND 9.7.x, 9.8.0 -> 9.8.5b1, 9.9.0 -> 9.9.3b1. (Windows versions are not affected. Versions of BIND 9 prior to BIND 9.7.0 (including BIND 9.6-ESV) are not affected. BIND 10 is not affected.) Severity: Critical Exploitable: Remotely Description: A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server. This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine. Please Note: Versions of BIND 9.7 are beyond their "end of life" (EOL) and no longer receive testing or security fixes from ISC. However, the re-compilation method described in the "Workarounds" section of this document will prevent exploitation in BIND 9.7 as well as in currently supported versions. For current information on which versions are actively supported, please seehttp://www.isc.org/software/bind/versions. Additional information is available in the CVE-2013-2266 FAQ and Supplemental Information article in the ISC Knowledge base, https://kb.isc.org/article/AA-00879. Impact: Intentional exploitation of this condition can cause denial of service in all authoritative and recursive nameservers running affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0 through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1 (inclusive)]. Additionally, other services which run on the same physical machine as an affected BIND server could be compromised as well through exhaustion of system memory. Programs using the libdns library from affected versions of BIND are also potentially vulnerable to exploitation of this bug if they can be forced to accept input which triggers the condition. Tools which are linked against libdns (e.g. dig) should also be rebuilt or upgraded, even if named is not being used. CVSS Score: 7.8 CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C) Workarounds: Patched versions are available (see the "Solutions:" section below) or operators can prevent exploitation of this bug in any affected version of BIND 9 by compiling without regular expression support. Compilation without regular expression support: BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1), and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely safe from this bug by re-compiling the source with regular expression support disabled. In order to disable inclusion of regular expression support: - After configuring BIND features as desired using the configure script in the top level source directory, manually edit the "config.h" header file that was produced by the configure script. - Locate the line that reads "#define HAVE_REGEX_H 1" and replace the contents of that line with "#undef HAVE_REGEX_H". - Run "make clean" to remove any previously compiled object files from the BIN
Re: ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
On 3/26/13 10:05 AM, Jack Tavares wrote: I have a request for clarification: The workaround states to rebuild BIND with regexp support disabled. And I see new versions of BIND have been released. Are those versions just a rebuild with regexp support disabled? Or are they a more comprehensive fix? This question is addressed in the "CVE-2013-2266: FAQ and Supplemental Information" Knowledge Base article, which I encourage everyone to read. https://kb.isc.org/article/AA-00879 Please see specifically the section which begins: "What is the difference between deploying the patched versions of BIND versus implementing the documented workaround?" Thanks, Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
Thank you. -- Jack Tavares From: ISC Support Staff [support-st...@isc.org] Sent: Tuesday, March 26, 2013 11:08 To: Jack Tavares Cc: bind-us...@isc.org Subject: Re: ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named On 3/26/13 10:05 AM, Jack Tavares wrote: > > I have a request for clarification: > > The workaround states to rebuild BIND with regexp support disabled. > > And I see new versions of BIND have been released. > Are those versions just a rebuild with regexp support disabled? > Or are they a more comprehensive fix? This question is addressed in the "CVE-2013-2266: FAQ and Supplemental Information" Knowledge Base article, which I encourage everyone to read. https://kb.isc.org/article/AA-00879 Please see specifically the section which begins: "What is the difference between deploying the patched versions of BIND versus implementing the documented workaround?" Thanks, Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
In message <20130326163235.ga31...@redhat.com>, Adam Tkac writes: > Hello, > > if I understand correctly, this isn't issue in BIND itself but it is some > memory > leak in underlying regexp library (glibc in Linux case). Can you please > clarify > which exact flaw in glibc (or other regex implementation) makes BIND > vulnerable > to remote DoS? Is it already reported to regex library developers? Was it > already fixed (and how)? > > I'm asking because from distribution point of view it's better to address this > flaw directly in regex implementation which will automatically make BIND > invulnerable. > > Thank you in advance for response. > > Regards, Adam While I understand your issues bind-users isn't the forum to answer them. Mark > On Tue, Mar 26, 2013 at 12:01:50PM -0400, ISC Support Staff wrote: > > A critical defect in BIND 9 allows an attacker to cause excessive > > > > memory consumption in named or other programs linked to libdns. > > > > > > > > CVE: CVE-2013-2266 > > > > Document Version: 2.0 > > > > Posting date: 26 March 2013 > > > > Program Impacted: BIND > > > > Versions affected:"Unix" versions of BIND 9.7.x, 9.8.0 -> 9.8.5b1, > > > > 9.9.0 -> 9.9.3b1. (Windows versions are not > > affected. > > > > Versions of BIND 9 prior to BIND 9.7.0 (including > > > > BIND 9.6-ESV) are not affected. BIND 10 is > > > > not affected.) > > > > Severity: Critical > > > > Exploitable: Remotely > > > > Description: > > > > > > > >A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled > > > >on Unix and related operating systems, allows an attacker to > > > >deliberately cause excessive memory consumption by the named > > > >process, potentially resulting in exhaustion of memory resources > > > >on the affected server. This condition can crash BIND 9 and > > > >will likely severely affect operation of other programs running > > > >on the same machine. > > > > > > > >Please Note: Versions of BIND 9.7 are beyond their "end of life" > > > >(EOL) and no longer receive testing or security fixes from ISC. > > > >However, the re-compilation method described in the "Workarounds" > > > >section of this document will prevent exploitation in BIND 9.7 > > > >as well as in currently supported versions. > > > > > > > >For current information on which versions are actively supported, > > > >please seehttp://www.isc.org/software/bind/versions. > > > > > > > >Additional information is available in the CVE-2013-2266 FAQ and > > > >Supplemental Information article in the ISC Knowledge base, > > > >https://kb.isc.org/article/AA-00879. > > > > > > > > Impact: > > > > > > > >Intentional exploitation of this condition can cause denial of > > > >service in all authoritative and recursive nameservers running > > > >affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0 > > > >through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1 > > > >(inclusive)]. Additionally, other services which run on the > > > >same physical machine as an affected BIND server could be > > > >compromised as well through exhaustion of system memory. > > > > > > > >Programs using the libdns library from affected versions of BIND > > > >are also potentially vulnerable to exploitation of this bug if > > > >they can be forced to accept input which triggers the condition. > > > >Tools which are linked against libdns (e.g. dig) should also be > > > >rebuilt or upgraded, even if named is not being used. > > > > > > > > CVSS Score: 7.8 > > > > > > > > CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C) > > > > > > > >For more information on the Common Vulnerability Scoring System > > > >and to obtain your specific environmental score please visit: > > > > > > > > http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C) > > > > > > > > Workarounds: > > > > > > > >Patched versions are available (see the "Solutions:" section > > > >below) or operators can prevent exploitation of this bug in any > > > >affected version of BIND 9 by compiling without regular expression > > > >support. > > > > > > > >Compilation without regular expression support: > > > > > > > > BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1), > > > > and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely > > > > safe from this bug by re-compiling the source with regular > > > > expression support disabled. In order to disable inclusion > > > > of regular expression support: > > > > > > > > - After configuring BIND features as desired using the configure > > > > script in the top level source
