BIND Bugs Let Remote Users Bypass Access Controls and Deny Service - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > BIND

Vendors: ISC (Internet Software Consortium)

BIND Bugs Let Remote Users Bypass Access Controls and Deny Service

SecurityTracker Alert ID: 1024817

SecurityTracker URL: http://securitytracker.com/id/1024817

CVE Reference: CVE-2010-3613, CVE-2010-3614, CVE-2010-3615 (Links to External Site)

Date: Dec 2 2010

Impact: Denial of service via network, Host/resource access via network, Modification of system information

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 9.0.x to 9.7.2-P2, 9.4-ESV to 9.4-ESV-R3, 9.6-ESV to 9.6-ESV-R2

Description: Several vulnerabilities were reported in BIND. A remote user can cause denial of service conditions. A remote user can bypass access controls.

When certain types of signed negative responses are added to the cache, matching RRSIG records already in the cache are not cleared [CVE-2010-3613]. A remote user can subsequently perform a lookup of the cached data can cause named to crash.

When named is acting as a DNSSEC validator, it may incorrectly determine that an NS RRset is insecure when there isn't a matching key for the RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY RRset (such as during a DNSKEY algorithm rollover when two different algorithms are used to sign a zone but only the new set of keys are in the zone DNSKEY RRset) [CVE-2010-3614].

When named is running as an authoritative server for a zone and the allow-query statement is not set in the zone statement, the system defaults to allowing the query [CVE-2010-3615]. A remote user can send a query for that zone data to bypass the access controls.

Impact: A remote user can cause denial of service conditions.

A remote user can bypass access controls.

Solution: The vendor has issued a fix (9.7.2-P3).

The vendor's advisories are available at:

http://www.isc.org/software/bind/advisories/cve-2010-3613
http://www.isc.org/software/bind/advisories/cve-2010-3614
http://www.isc.org/software/bind/advisories/cve-2010-3615

Vendor URL: www.isc.org/software/bind/advisories/cve-2010-3615 (Links to External Site)

Cause: Access control error, State error

Underlying OS: Linux (Any), UNIX (Any)

Message History: This archive entry has one or more follow-up message(s) listed below.

Dec 13 2010	(Red Hat Issues Fix) BIND Bugs Let Remote Users Bypass Access Controls and Deny Service (bugzilla@redhat.com) Red Hat has issued a fix for Red Hat Enterprise Linux 6.
Dec 14 2010	(Red Hat Issues Fix) BIND Bugs Let Remote Users Bypass Access Controls and Deny Service (bugzilla@redhat.com) Red Hat has issued a fix for Red Hat Enterprise Linux 5.
Dec 20 2010	(Red Hat Issues Fix) BIND Bugs Let Remote Users Bypass Access Controls and Deny Service (bugzilla@redhat.com) Red Hat has issued a fix for Red Hat Enterprise Linux 4.
Mar 8 2011	(VMware Issues Fix for ESX) BIND Bugs Let Remote Users Bypass Access Controls and Deny Service (VMware Security Announcements <security-announce@lists.vmware.com>) VMware has issued a fix for ESX.
Apr 13 2011	(HP Issues Fix for HP-UX) BIND Bugs Let Remote Users Bypass Access Controls and Deny Service (security-alert@hp.com) HP has issued a fix for HP-UX 11.11, 11.23, and 11.31.
Jul 15 2011	(IBM Issues Fix for AIX) BIND Bugs Let Remote Users Bypass Access Controls and Deny Service IBM has issued a fix for AIX 5.3.12, 6.1.4, 6.1.5, 6.1.6, and 7.1.0.

Source Message Contents

Date: Thu, 02 Dec 2010 19:52:10 +0000
Subject: BIND


http://www.isc.org/software/bind/advisories/cve-2010-3613
http://www.isc.org/software/bind/advisories/cve-2010-3614
http://www.isc.org/software/bind/advisories/cve-2010-3615

CVE-2010-3613
CVE-2010-3614
CVE-2010-3615

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC