Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
15 views
Skip to first unread message
ISC Support Staff
Mar 26, 2013, 12:01:50 PM3/26/13
to bind-...@lists.isc.org
Note:
This email advisory is provided for your information. The most
up to date advisory information will always be at:
https://kb.isc.org/article/AA-00871 please use this URL for the
most up to date advisory information.
---
A critical defect in BIND 9 allows an attacker to cause excessive
memory consumption in named or other programs linked to libdns.
CVE: CVE-2013-2266
Document Version: 2.0
Posting date: 26 March 2013
Program Impacted: BIND
Versions affected: "Unix" versions of BIND 9.7.x, 9.8.0 -> 9.8.5b1,
9.9.0 -> 9.9.3b1. (Windows versions are not
affected.
Versions of BIND 9 prior to BIND 9.7.0 (including
BIND 9.6-ESV) are not affected. BIND 10 is
not affected.)
Severity: Critical
Exploitable: Remotely
Description:
A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled
on Unix and related operating systems, allows an attacker to
deliberately cause excessive memory consumption by the named
process, potentially resulting in exhaustion of memory resources
on the affected server. This condition can crash BIND 9 and
will likely severely affect operation of other programs running
on the same machine.
Please Note: Versions of BIND 9.7 are beyond their "end of life"
(EOL) and no longer receive testing or security fixes from ISC.
However, the re-compilation method described in the "Workarounds"
section of this document will prevent exploitation in BIND 9.7
as well as in currently supported versions.
For current information on which versions are actively supported,
please seehttp://www.isc.org/software/bind/versions.
Additional information is available in the CVE-2013-2266 FAQ and
Supplemental Information article in the ISC Knowledge base,
https://kb.isc.org/article/AA-00879.
Impact:
Intentional exploitation of this condition can cause denial of
service in all authoritative and recursive nameservers running
affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0
through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1
(inclusive)]. Additionally, other services which run on the
same physical machine as an affected BIND server could be
compromised as well through exhaustion of system memory.
Programs using the libdns library from affected versions of BIND
are also potentially vulnerable to exploitation of this bug if
they can be forced to accept input which triggers the condition.
Tools which are linked against libdns (e.g. dig) should also be
rebuilt or upgraded, even if named is not being used.
CVSS Score: 7.8
CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
For more information on the Common Vulnerability Scoring System
and to obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Workarounds:
Patched versions are available (see the "Solutions:" section
below) or operators can prevent exploitation of this bug in any
affected version of BIND 9 by compiling without regular expression
support.
Compilation without regular expression support:
BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1),
and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely
safe from this bug by re-compiling the source with regular
expression support disabled. In order to disable inclusion
of regular expression support:
- After configuring BIND features as desired using the configure
script in the top level source directory, manually edit the
"config.h" header file that was produced by the configure
script.
- Locate the line that reads "#define HAVE_REGEX_H 1" and
replace the contents of that line with "#undef
HAVE_REGEX_H".
- Run "make clean" to remove any previously compiled object
files from the BIND 9 source directory, then proceed to
make and install BIND normally.
Active exploits:
No known active exploits.
Solution:
Compile BIND 9 without regular expression support as described
in the "Workarounds" section of this advisory or upgrade to the
patched release most closely related to your current version of
BIND. These can be downloaded fromhttp://www.isc.org/downloads/all.
BIND 9 version 9.8.4-P2
BIND 9 version 9.9.2-P2
Acknowledgements:
ISC would like to thank Matthew Horsfall of Dyn, Inc. for
discovering this bug and bringing it to our attention.
Document Revision History:
1.0 Phase One - Advance Notification, 11 March 2013
1.1 Phase Two & Three, 25 March 2013
2.0 Notification to Public (Phase Four), 26 March 2013
Related Documents:
Japanese Translation:https://kb.isc.org/article/AA-00881
Spanish Translation:https://kb.isc.org/article/AA-00882
German Translation:https://kb.isc.org/article/AA-00883
Portuguese Translation:https://kb.isc.org/article/AA-00884
See our BIND Security Matrix for a complete listing of Security
Vulnerabilities and versions affected.
If you'd like more information on our product support please visit
www.isc.org/support.
Do you still have questions? Questions regarding this advisory
should go tosecurit...@isc.org
Note:
ISC patches only currently supported versions. When possible we
indicate EOL versions affected.
ISC Security Vulnerability Disclosure Policy: Details of our current
security advisory policy and practice can be found here:
https://www.isc.org/security-vulnerability-disclosure-policy
This Knowledge Base articlehttps://kb.isc.org/article/AA-00871 is
the complete and official security advisory document.
Legal Disclaimer:
Internet Systems Consortium (ISC) is providing this notice on
an "AS IS" basis. No warranty or guarantee of any kind is expressed
in this notice and none should be implied. ISC expressly excludes
and disclaims any warranties regarding this notice or materials
referred to in this notice, including, without limitation, any
implied warranty of merchantability, fitness for a particular
purpose, absence of hidden defects, or of non-infringement. Your
use or reliance on this notice or materials referred to in this
notice is at your own risk. ISC may change this notice at any
time. A stand-alone copy or paraphrase of the text of this
document that omits the document URL is an uncontrolled copy.
Uncontrolled copies may lack important information, be out of
date, or contain factual errors.
(c) 2001-2013 Internet Systems Consortium
This email advisory is provided for your information. The most
up to date advisory information will always be at:
https://kb.isc.org/article/AA-00871 please use this URL for the
most up to date advisory information.
---
A critical defect in BIND 9 allows an attacker to cause excessive
memory consumption in named or other programs linked to libdns.
CVE: CVE-2013-2266
Document Version: 2.0
Posting date: 26 March 2013
Program Impacted: BIND
Versions affected: "Unix" versions of BIND 9.7.x, 9.8.0 -> 9.8.5b1,
9.9.0 -> 9.9.3b1. (Windows versions are not
affected.
Versions of BIND 9 prior to BIND 9.7.0 (including
BIND 9.6-ESV) are not affected. BIND 10 is
not affected.)
Severity: Critical
Exploitable: Remotely
Description:
A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled
on Unix and related operating systems, allows an attacker to
deliberately cause excessive memory consumption by the named
process, potentially resulting in exhaustion of memory resources
on the affected server. This condition can crash BIND 9 and
will likely severely affect operation of other programs running
on the same machine.
Please Note: Versions of BIND 9.7 are beyond their "end of life"
(EOL) and no longer receive testing or security fixes from ISC.
However, the re-compilation method described in the "Workarounds"
section of this document will prevent exploitation in BIND 9.7
as well as in currently supported versions.
For current information on which versions are actively supported,
please seehttp://www.isc.org/software/bind/versions.
Additional information is available in the CVE-2013-2266 FAQ and
Supplemental Information article in the ISC Knowledge base,
https://kb.isc.org/article/AA-00879.
Impact:
Intentional exploitation of this condition can cause denial of
service in all authoritative and recursive nameservers running
affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0
through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1
(inclusive)]. Additionally, other services which run on the
same physical machine as an affected BIND server could be
compromised as well through exhaustion of system memory.
Programs using the libdns library from affected versions of BIND
are also potentially vulnerable to exploitation of this bug if
they can be forced to accept input which triggers the condition.
Tools which are linked against libdns (e.g. dig) should also be
rebuilt or upgraded, even if named is not being used.
CVSS Score: 7.8
CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
For more information on the Common Vulnerability Scoring System
and to obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Workarounds:
Patched versions are available (see the "Solutions:" section
below) or operators can prevent exploitation of this bug in any
affected version of BIND 9 by compiling without regular expression
support.
Compilation without regular expression support:
BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1),
and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely
safe from this bug by re-compiling the source with regular
expression support disabled. In order to disable inclusion
of regular expression support:
- After configuring BIND features as desired using the configure
script in the top level source directory, manually edit the
"config.h" header file that was produced by the configure
script.
- Locate the line that reads "#define HAVE_REGEX_H 1" and
replace the contents of that line with "#undef
HAVE_REGEX_H".
- Run "make clean" to remove any previously compiled object
files from the BIND 9 source directory, then proceed to
make and install BIND normally.
Active exploits:
No known active exploits.
Solution:
Compile BIND 9 without regular expression support as described
in the "Workarounds" section of this advisory or upgrade to the
patched release most closely related to your current version of
BIND. These can be downloaded fromhttp://www.isc.org/downloads/all.
BIND 9 version 9.8.4-P2
BIND 9 version 9.9.2-P2
Acknowledgements:
ISC would like to thank Matthew Horsfall of Dyn, Inc. for
discovering this bug and bringing it to our attention.
Document Revision History:
1.0 Phase One - Advance Notification, 11 March 2013
1.1 Phase Two & Three, 25 March 2013
2.0 Notification to Public (Phase Four), 26 March 2013
Related Documents:
Japanese Translation:https://kb.isc.org/article/AA-00881
Spanish Translation:https://kb.isc.org/article/AA-00882
German Translation:https://kb.isc.org/article/AA-00883
Portuguese Translation:https://kb.isc.org/article/AA-00884
See our BIND Security Matrix for a complete listing of Security
Vulnerabilities and versions affected.
If you'd like more information on our product support please visit
www.isc.org/support.
Do you still have questions? Questions regarding this advisory
should go tosecurit...@isc.org
Note:
ISC patches only currently supported versions. When possible we
indicate EOL versions affected.
ISC Security Vulnerability Disclosure Policy: Details of our current
security advisory policy and practice can be found here:
https://www.isc.org/security-vulnerability-disclosure-policy
This Knowledge Base articlehttps://kb.isc.org/article/AA-00871 is
the complete and official security advisory document.
Legal Disclaimer:
Internet Systems Consortium (ISC) is providing this notice on
an "AS IS" basis. No warranty or guarantee of any kind is expressed
in this notice and none should be implied. ISC expressly excludes
and disclaims any warranties regarding this notice or materials
referred to in this notice, including, without limitation, any
implied warranty of merchantability, fitness for a particular
purpose, absence of hidden defects, or of non-infringement. Your
use or reliance on this notice or materials referred to in this
notice is at your own risk. ISC may change this notice at any
time. A stand-alone copy or paraphrase of the text of this
document that omits the document URL is an uncontrolled copy.
Uncontrolled copies may lack important information, be out of
date, or contain factual errors.
(c) 2001-2013 Internet Systems Consortium
Adam Tkac
Mar 26, 2013, 12:32:35 PM3/26/13
to tosecurit...@isc.org, bind-...@lists.isc.org
Hello,
if I understand correctly, this isn't issue in BIND itself but it is some memory
leak in underlying regexp library (glibc in Linux case). Can you please clarify
which exact flaw in glibc (or other regex implementation) makes BIND vulnerable
to remote DoS? Is it already reported to regex library developers? Was it
already fixed (and how)?
I'm asking because from distribution point of view it's better to address this
flaw directly in regex implementation which will automatically make BIND
invulnerable.
Thank you in advance for response.
Regards, Adam
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Adam Tkac, Red Hat, Inc.
if I understand correctly, this isn't issue in BIND itself but it is some memory
leak in underlying regexp library (glibc in Linux case). Can you please clarify
which exact flaw in glibc (or other regex implementation) makes BIND vulnerable
to remote DoS? Is it already reported to regex library developers? Was it
already fixed (and how)?
I'm asking because from distribution point of view it's better to address this
flaw directly in regex implementation which will automatically make BIND
invulnerable.
Thank you in advance for response.
Regards, Adam
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Adam Tkac, Red Hat, Inc.
Jack Tavares
Mar 26, 2013, 2:05:23 PM3/26/13
to suppor...@isc.org, bind-...@isc.org
I have a request for clarification:
The workaround states to rebuild BIND with regexp support disabled.
And I see new versions of BIND have been released.
Are those versions just a rebuild with regexp support disabled?
Or are they a more comprehensive fix?
thanks.
--
Jack Tavares
________________________________________
From: bind-announce-bounces+j.tavares=f5....@lists.isc.org [bind-announce-bounces+j.tavares=f5....@lists.isc.org] on behalf of ISC Support Staff [suppor...@isc.org]
Sent: Tuesday, March 26, 2013 09:02
To: bind-a...@lists.isc.org
Subject: ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
Note:
This email advisory is provided for your information. The most
up to date advisory information will always be at:
https://kb.isc.org/article/AA-00871 please use this URL for the
most up to date advisory information.
---
A critical defect in BIND 9 allows an attacker to cause excessive
CVE: CVE-2013-2266
Document Version: 2.0
Program Impacted: BIND
not affected.)
Severity: Critical
Exploitable: Remotely
Description:
on the same machine.
please seehttp://www.isc.org/software/bind/versions.
https://kb.isc.org/article/AA-00879.
Impact:
CVSS Score: 7.8
Workarounds:
support.
of regular expression support:
script.
HAVE_REGEX_H".
Active exploits:
No known active exploits.
Solution:
BIND 9 version 9.8.4-P2
BIND 9 version 9.9.2-P2
Acknowledgements:
Document Revision History:
Related Documents:
Japanese Translation:https://kb.isc.org/article/AA-00881
Spanish Translation:https://kb.isc.org/article/AA-00882
German Translation:https://kb.isc.org/article/AA-00883
Portuguese Translation:https://kb.isc.org/article/AA-00884
Vulnerabilities and versions affected.
should go tosecurit...@isc.org
Note:
indicate EOL versions affected.
https://www.isc.org/security-vulnerability-disclosure-policy
Legal Disclaimer:
_______________________________________________
bind-announce mailing list
bind-a...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-announce
ISC Support Staff
Mar 26, 2013, 2:08:38 PM3/26/13
to Jack Tavares, bind-...@isc.org
On 3/26/13 10:05 AM, Jack Tavares wrote:
>
> I have a request for clarification:
>
> The workaround states to rebuild BIND with regexp support disabled.
>
> And I see new versions of BIND have been released.
> Are those versions just a rebuild with regexp support disabled?
> Or are they a more comprehensive fix?
This question is addressed in the "CVE-2013-2266: FAQ and Supplemental
>
> I have a request for clarification:
>
> The workaround states to rebuild BIND with regexp support disabled.
>
> And I see new versions of BIND have been released.
> Are those versions just a rebuild with regexp support disabled?
> Or are they a more comprehensive fix?
Information" Knowledge Base article, which I encourage everyone to read.
https://kb.isc.org/article/AA-00879
Please see specifically the section which begins:
"What is the difference between deploying the patched versions
of BIND versus implementing the documented workaround?"
Thanks,
Michael McNally
ISC Support
Jack Tavares
Mar 26, 2013, 2:12:01 PM3/26/13
to ISC Support Staff, bind-...@isc.org
Thank you.
--
Jack Tavares
________________________________________
From: ISC Support Staff [suppor...@isc.org]
Sent: Tuesday, March 26, 2013 11:08
To: Jack Tavares
Cc: bind-...@isc.org
Subject: Re: ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
Mark Andrews
Mar 26, 2013, 4:58:27 PM3/26/13
to Adam Tkac, security...@isc.org, bind-...@isc.org
In message <20130326163...@redhat.com>, Adam Tkac writes:
> Hello,
>
> if I understand correctly, this isn't issue in BIND itself but it is some memory
> leak in underlying regexp library (glibc in Linux case). Can you please clarify
> which exact flaw in glibc (or other regex implementation) makes BIND vulnerable
> to remote DoS? Is it already reported to regex library developers? Was it
> already fixed (and how)?
>
> I'm asking because from distribution point of view it's better to address this
> flaw directly in regex implementation which will automatically make BIND
> invulnerable.
>
> Thank you in advance for response.
>
> Regards, Adam
Mark
> On Tue, Mar 26, 2013 at 12:01:50PM -0400, ISC Support Staff wrote:
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> >
> > bind-users mailing list
> > bind-...@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Adam Tkac, Red Hat, Inc.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
> >
> > bind-users mailing list
> > bind-...@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Adam Tkac, Red Hat, Inc.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
0 new messages