BlueCat Networks understands the critical nature of DNS, DHCP and IPAM services and the impact of a security risk to these services. As part of BlueCat's initiative to provide customers with up-to-date information on potential security issues, we publicly track all known security issues related to our products. A description of each published security issue is listed below outlining the impact of each issue and how to mitigate against the attack.

2017   | 2016   | 2015   |    2014   |    2013   |    2012   |    2011   |    2010   |    2009   |    2008

May 2017

An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;"

CERT NUMBER: CVE-2017-3136

Vulnerability has been announced by the Internet Systems Consortium (ISC), which affects ISC DNS.

All Supported BDDS Versions
Short Description:

A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met.

(error message: "INSIST((valoptions & 0x0002U) != 0) failed") or db.c (error message: "REQUIRE(targetp != ((void *)0) && *targetp == ((void *)0)) failed").

Please visit Care and review KI-015687 for additional information associated with this vulnerability.

A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME

CERT NUMBER: CVE-2017-3137

Vulnerability has been announced by the Internet Systems Consortium (ISC), which affects ISC DNS.

All Supported BDDS Versions
Short Description:

Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order.

Please visit Care and review KI-015688 for additional information associated with this vulnerability.

A null command string can cause a REQUIRE assertion failure

CERT NUMBER: CVE-2017-3138

Vulnerability has been announced by the Internet Systems Consortium (ISC), which affects ISC DNS.

All Supported BDDS Versions
Short Description:

DNS service contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel using a program such as rndc. A vulnerability has been discovered where a regression introduced in a recent feature change has created a situation under which some versions of DNS service crash with a REQUIRE assertion failure if sent a null command string.

Please visit Care and review KI-016948 for additional information associated with this vulnerability.

October 2016

A new vulnerability has been detected that affects recursive resolvers in BIND. This occurs when named is processing a response which contains elements in an unexpected order or combination. When processing the response, named reaches an inconsistent state and terminates with an assertion failure

CERT NUMBER: CVE-2016-8864

Vulnerability has been announced by the Internet Systems Consortium (ISC), which affects ISC DNS. Affected Versions:

All Supported BDDS Versions
Short Description:

A defect in BIND's handling of responses containing a DNAME answer can cause a resolver to exit after encountering an assertion failure in db.c or resolver.c During processing of a recursive response that contains a DNAME record in the answer section, BIND can stop execution after encountering an assertion error in resolver.c

(error message: "INSIST((valoptions & 0x0002U) != 0) failed") or db.c (error message: "REQUIRE(targetp != ((void *)0) && *targetp == ((void *)0)) failed").

A server encountering either of these error conditions will stop, resulting in denial of service to clients. The risk to authoritative servers is minimal; recursive servers are mainly at risk

Please visit Care and review KB-8380 for additional information associated with this vulnerability.

September 2016

Sending a packet with certain properties to a BIND nameserver can cause named to terminate with a REQUIRE assertion failure in buffer c.

CERT NUMBER: CVE-2016-2776

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC DNS.

Affected Versions:
BDDS v8.x, v7.x

Short Description:

A critical error condition can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria.

This assertion can be triggered even if the apparent source address isn't allowed to make queries (i.e. doesn't match 'allow-query') and a REFUSED response is generated.

Please visit Care and review KB-8283 for additional information associated with this vulnerability.

July 2016

Lightweight Resolver implementation in BIND can cause infinite recursion in the server when a query is processed that meets certain criteria

CERT NUMBER: CVE-2016-1285

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC DNS.

Affected Versions:
None

Short Description:
An error has been discovered in the BIND implementation of the lightweight resolver protocol affecting systems which use this alternate method to do name resolution.

A server which is affected by this defect will terminate with a segmentation fault error, resulting in a denial of service to client programs attempting to resolve names. Although not commonly used, the BIND package contains provisions to allow systems to resolve names using the lightweight resolver protocol, a protocol similar to (but distinct from) the normal DNS protocols. The lightweight resolver protocol can be used either by running the lwresd utility installed with BIND or by configuring named using the "lwres" statement in named.conf.

Please visit Care and review KB #08118 for additional information associated with this vulnerability.

March 2016

RNDC can be exploited to cause assertion failure resulting in denial of service on ISC DNS Servers

CERT NUMBER: CVE-2016-1285

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC DNS.

Affected Versions:
BDDS v6.7.x, v7.0.x, 7.1.x, v8.0.0

Short Description:
A security vulnerability has been discovered where a defect in control channel input handling which can cause named to exit due to an assertion failure. This occurs in sexpr.c or alist.c when a malformed packet is sent to named's control channel (the interface which allows named to be controlled using the 'rndc" server control utility). This assertion occurs before authentication but after network-address-based access controls have been applied.

Please visit Care and review KB #07566 for additional information associated with this vulnerability.

Parsing RRSIGs for DNAME records with specific properties can cause assertion failure on ISC DNS Servers

CERT NUMBER: CVE-2016-1286

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC DNS.

Affected Versions:
BDDS v6.7.x, v7.0.x, 7.1.x, v8.0.0

Short Description:
A security vulnerability has been found with ISC BIND with parsing RRSIGs for DNAME records that have specific properties, thus leading to named exiting due as a result of an assertion failure in resolver.c or db.c. An attacker able to cause a server to make a query deliberately chosen to generate a response containing RRSIGs which would exercise this vulnerability, resulting in denial of service to clients.

Please visit Care and review KB #07567 for additional information associated with this vulnerability.

ISC DNS Servers with DNS Cookie support can be remotely attacked when processing a response with multiple cookie options

CERT NUMBER: CVE-2016-2088

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC DNS.

Affected Versions:
None

Short Description:
ISC BIND has preliminary support for DNS cookies (or source identity tokens), a proposed mechanism designed to allow lightweight transaction security between a querying party and a nameserver. An error in the BIND code implementing support for this optional feature permits a deliberately misconstructed packet containing multiple cookie options to cause named to terminate with an INSIST assertion failure in resolver.c if DNS cookie support is enabled in the server.

Please visit Care and review KB #07568 for additional information associated with this vulnerability.

DHCP Failover and OMAPI port exhaustion resulting in denial of service

CERT NUMBER: CVE-2016-2774

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC DHCPD.

Affected Versions:
None

Short Description:
A security risk has been discovered with ISC DHCP wherein the server does not effectively limit the number of simultaneous open TCP connections used for inter-process communications and control. Under certain conditions, a malicious party could take advantage of this to interfere with DHCP server operation by opening (and never closing) a large number of TCP connections to the server.

Please visit Care and review KB #07584 for additional information associated with this vulnerability.

January 2016

ISC_R_NOSPACE and other errors from render_ecs are not properly handled and DNS service can crash

CERT NUMBER: CVE-2015-8705

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC BIND.

Affected Versions:
BlueCat DNS/DHCP Server (Adonis) v8.0.0

Short Description:
The issue occurs when formatting DNS messages to text and while processing an OPT RR. In the specific case of this crash, it is a malformed CLIENT-SUBNET option that moves the buffer forward from where the caller expects it. The caller then proceeds to move the buffer forward to skip that option too and it causes an assertion failure.

Please visit Care and review KB #07418: CVE-2015-8705 to download the patch and associated release note.

When printing a record and there isn't enough buffer space available, DNS service can crash with INSIST message

CERT NUMBER: CVE-2015-8704

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC BIND.

Affected Versions:
BlueCat DNS/DHCP Server (Adonis) v8.0.0

Short Description:
This event can be triggered by the following events. Slave DNS Servers using text-format db files are vulnerable if they receive the record from their master. Masters using text-format db files are vulnerable if they receive the record in a DDNS update. Recursive resolvers are vulnerable if they log the record at debug logging level. Issuing 'rndc dumpdb' on the DNS server.

Please visit Care and review KB #07417: CVE-2015-8704 to download the patch and associated release note.

An integer overflow in a length calculation on a received packet can be exploited to cause a fatal error

CERT NUMBER: CVE-2015-8605

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC BIND.

Affected Versions:
BlueCat DNS/DHCP Server (Adonis) v6.7.x, v7.0.x, v7.1.x and v8.0.0

Short Description:
An error in the handling of an integer overflow in a length calculation on a received packet can cause a fatal error, resulting in the DHCP service to crash. This vulnerability could be intentionally exploited and could be used as a denial-of-service vector against servers.

Please visit Care and review KB #07372: CVE-2015-8605 to download the patch and associated release note.

December 2015

An error in the parsing of incoming responses can trigger a REQUIRE assertion failure

CERT NUMBER: CVE-2015-8000

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC BIND.

Affected Versions:
BlueCat DNS/DHCP Server (Adonis) v6.7.x, v7.0.x, v7.1.x and v8.0.0

Short Description:
An error in the parsing of incoming responses allows some records with an incorrect class to be accepted by BIND instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. Intentional exploitation of this condition is possible and could be used as denial-of-service vector against servers performing recursive queries.

An attacker who can cause a server to request a record with a malformed class attribute can use this bug to trigger a REQUIRE assertion in db.c, causing named to exit and denying service to clients. The risk to recursive servers is high. Authoritative servers are at limited risk if they perform authentication when making recursive queries to resolve addresses for servers listed in NS RRSETs.

Please visit Care and review KB #07304 to download the patch and associated release note

A race condition can cause a recursive server under heavy load to encounter an INSIST assertion failure

CERT NUMBER: CVE-2015-8461

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC BIND.

Affected Versions:
None

Short Description:
This vulnerability exists in BIND where a race condition can cause a recursive server under heavy load to encounter an INSIST assertion failure under some circumstances. BlueCat products do not include the affected versions of BIND and hence are not subjected to this security risk.

Please visit Care and review KB #07355 to download the patch and associated release note

Sept 2015

Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c

CERT NUMBER: CVE-2015-5722

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC BIND.

Affected Versions:
BlueCat DNS/DHCP Server (Adonis) v6.7.x, v7.0.x and v7.1.x

Short Description:
Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key.

Recursive servers are at greatest risk but an authoritative server could be affected if an attacker controls a zone the server must query against to perform its zone service. Servers which are affected may terminate with an assertion failure, causing denial of service to all clients.

Please visit Care and review KB #07031 to download the patch and associated release notes.

An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c

CERT NUMBER: CVE-2015-5986

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC BIND

Affected Versions:
None

Short Description:
An incorrect boundary check in openpgpkey_61.c can cause named to terminate due to a REQUIRE assertion failure. This defect can be deliberately exploited by an attacker who can provide a maliciously constructed response in answer to a query.

A server which encounters this error will terminate due to a REQUIRE assertion failure, resulting in denial of service to clients. Recursive servers are at greatest risk from this defect but some circumstances may exist in which the attack can be successfully exploited against an authoritative server.

Please visit Care and review KB #07043 for any additional information.

July 2015

An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure

CERT NUMBER: CVE-2015-5477

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC BIND.

Affected Versions:
BlueCat DNS/DHCP Server (Adonis) v6.7.x, v7.0.x and v7.1.x

Short Description:
A remotely-exploitable vulnerability has been recently discovered which affects all supported versions of ISC BIND 9.0. If exploited, this vulnerability could allow a malicious remote attacker to trigger a denial-of-service attack that can crash BIND resulting in a critical service outage.

This vulnerability only applies to all customers running BDDS v6.7.1, v7.0.x and v7.1.x as these appliances contain the vulnerable package. Additionally, exposure is not prevented by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling, before checks enforcing those boundaries.

Please visit Care and review KB #06746 to download the patch and associated release notes.

A very uncommon combination of zone data has been found that triggers a bug in BIND, with the result that DNS service will exit with a “ EQUIRE” failure in name.c

CERT NUMBER: CVE-2015-4620

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC BIND.

Affected Versions:
BlueCat DNS/DHCP Server (Adonis) v6.7.x, v7.0.x and v7.1.x

Short Description:
A very uncommon combination of zone data has been found that triggers a bug in BIND, with the result that DNS service will exit with a "REQUIRE" failure in name.c when validating the data returned in answer to a recursive query. This means that a recursive resolver that is performing DNSSEC validation can be deliberately crashed by an attacker who can cause the resolver to perform a query against a maliciously-constructed zone.

This vulnerability only applies to customers who have deployed trust anchors to recursive servers with DNSSEC validation enabled. A recursive resolver that is performing DNSSEC validation can be deliberately crashed by any attacker who can cause a query to be performed against a maliciously constructed zone. This will result in a denial of service to clients who rely on that resolver.

Please visit Care and review KB-6639 to download the patch and associated release notes.

December 2014

Failure to place limits on delegation chaining can allow an attacker to crash DNS service or cause memory exhaustion

CERT NUMBER: CVE-2014-8500

A vulnerability has been announced by the Internet Systems Consortium (ISC) which affects ISC BIND.

Affected Versions:
BlueCat DNS/DHCP Server (Adonis) v6.7.x, v7.0 and v7.0.6

Short Description:
Through the use of maliciously constructed zones or a rogue server, an attacker can exploit an oversight in the BIND 9 code to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation. This can lead to resource exhaustion and denial of service (up to and including termination of the named server process.)

All recursive resolvers are affected. Authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone.

Please visit Care and review KB-3935 to download the patch and associated release notes.

November 2014

Shellshock: Bash command shell contains a vulnerability that allows remote attackers to execute arbitrary code

CERT NUMBER: CVE-2014-6271 and CVE-2014-7169

Two vulnerabilities have been announced – CVE-2014-6271 and CVE-2014-7169 which affect the version of bash command shell used by both Address Manager (Proteus) and DNS/DHCP Server (Adonis)

Affected Versions:

All Address Manager (Proteus) and DNS/DHCP Server (Adonis) versions.

Short Description:

A vulnerability was discovered in the bash shell related to how bash processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment.

NOTE: Although both systems use a vulnerable version of the bash command shell, no remote exploits could be found. Although the systems are not exploitable remotely, BlueCat does recognize the visibility and attention associated with this security vulnerability and has released a patch to update all supported systems to a non-vulnerable version of the bash shell.

Please visit Care and review KB-7446 to download the patch and associated release notes.

April 2014

SSL contains a vulnerability that could disclose private information to an attacker

CERT NUMBER: CVE-2014-0160

A vulnerability has been announced - CVE-2014-0160 which affects the version of SSL used by BlueCat.

Affected Versions:

All Address Manager (Proteus) 4.x and DNS/DHCP Server (Adonis) 7.x versions.

Short Description:

By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.

OpenSSL contains a flaw in its implementation of the TLS/DTLS heartbeat functionality (RFC6520). This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL libssl library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

  • Primary key material (secret keys)
  • Secondary key material (user names and passwords used by vulnerable services)
  • Protected content (sensitive data used by vulnerable services)
  • Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Please visit Care and review KB-6745 to download the patch and associated release notes.

January 2014

A Crafted Query Against an NSEC3-signed Zone Can Crash BIND

CERT NUMBER: CVE-2014-0591

A vulnerability has been announced by the ISC (Internet Systems Consortium) - CVE-2014-0591 which affects ISC BIND.

Affected Versions:

Authoritative name servers using DNSSEC with at least one NSEC3-signed zone.

Short Description:

A specially crafted query against an NSEC3-signed zone can crash DNS.

Because of a defect in handling queries for NSEC3-signed zones, BIND can crash with an "INSIST" failure in name.c when processing queries possessing certain properties. By exploiting this defect an attacker deliberately constructing a query with the right properties could achieve denial of service against an authoritative nameserver serving NSEC3-signed zones.

Affected Adonis Versions:

BlueCat's assessment of CVE-2014-0591 has determined that all supported versions of Adonis are affected. A patch has been released to address the issue for these affected versions.

Please visit Care and review KB-6419 to download the patch and associated release notes.

Back to Top

July 2013

Malformed DNS query can cause DNS server to terminate

CERT NUMBER: CVE-2013-4854

A vulnerability has been announced by the ISC (Internet Systems Consortium) - CVE-2013-4854 which affects ISC BIND.

Short Description:

A specially crafted query that includes malformed RDATA can cause DNS service to terminate with an assertion failure while rejecting the malformed query.

Authoritative and recursive servers are equally vulnerable. Intentional exploitation of this issue can cause a denial-of-service (DoS) in all DNS severs running affected versions of Adonis. Access Control Lists do not provide any protection against malicious clients.

Affected Adonis Versions

BlueCat Networks' assessment of CVE-2013-4854 has determined that Adonis versions 6.5, 6.7 and 6.7.1 are affected. A patch has been released to address the issue for these affected versions.

Please visit Care and review KB-5410 to download the patch and associated release notes. Versions prior to v6.5 are not affected.

June 2013

Malformed zone query can cause DNS resolver to crash

CERT NUMBER: CVE-2013-3919

A vulnerability has been announced by the ISC (Internet Systems Consortium) - CVE-2013-3919 which affects ISC BIND.

Short Description:

A recursive resolver can be crashed by a query for a deliberately constructed malformed zone.

Affected Adonis Versions

BlueCat's assessment of the CVE-2013-3919 security advisory has demonstrated that Adonis appliances, whether physical or virtual, running v4.x, v5.x or v6.x, are not subject to this vulnerability. BlueCat Adonis appliances currently use a version of ISC BIND that is not affected. There is therefore no need for BlueCat customers to patch their Adonis appliances to address CVE-2013-3919.

Please visit Care and review KB-4909 for additional details.

March 2013

A specially crafted DNS query can cause excessive DNS memory leak

CERT NUMBER: CVE-2013-2266

A vulnerability has been announced by the ISC (Internet Systems Consortium) – CVE-2013-2266 which affects ISC BIND.

Short Description:

A vulnerability exists in the DNS service that allows an attacker to deliberately cause excessive memory consumption by the DNS service, potentially resulting in exhaustion of memory resources on the affected server.

Intentional exploitation of this condition can cause a denial of service in all authoritative and recursive DNS servers running affected versions of BIND 9. Additionally, other services which run on the same physical machine as an affected DNS server could be compromised through exhaustion of system memory.

Affected Adonis Versions:

BlueCat Networks' assessment of CVE-2013-2266 has determined that versions 6.5, 6.7 and 6.7.1 of Adonis are affected. A patch has been released to address the issue. Please visit Care and review KB-5018 to download the patch and associated release notes.

Adonis customers should apply the appropriate patch matching your current production version.

Memory exhaustion bug found in ISC DHCP

CERT NUMBER: CVE-2013-2494

A vulnerability has been announced by the ISC (Internet Systems Consortium) – CVE-2013-2266 which affects ISC DHCP.

Short Description:

A vulnerability has been announced by the ISC (Internet Systems Consortium) – CVE-2013-2494 which affects ISC DHCP.

Affected Adonis Versions:

BlueCat Networks assessment of the CVE-2013-2494 security advisory has demonstrated that Adonis appliances, whether physical or virtual, running v4.x, v5.x or v6.x, are not subject to this vulnerability. BlueCat Networks Adonis appliances currently use a version of ISC DHCP that is not affected. There is therefore no need for BlueCat Networks customers to patch their Adonis appliances to address CVE-2013-2494. Please visit Care and review KB-5033 for additional details.

Back to Top

December 2012

A specially crafted query can cause DNS64-enabled DNS servers to crash

CERT NUMBER: CVE-2012-5688

A vulnerability has been announced by the ISC (Internet Systems Consortium) – CVE-2012-5688 which affects ISC BIND.

Short Description:

Name servers using the DNS64 transition mechanism for IPv6 are vulnerable to a software defect that allows a crafted query to crash the server due to an assertion failure.

Remote exploitation of this defect results in a denial-of-service (DoS) against the affected server(s).

Affected Adonis Versions:

BlueCat Networks' assessment of CVE-2012-5688 has determined that only Adonis v6.7.1 servers with DNS64 enabled are affected. A patch has been released to address the issue. Please visit Care and review KB-4606 to download the patch and associated release notes.

Adonis customers running v6.7.1 with DNS64 enabled should apply the appropriate patch matching your current production environment.

September 2012

A Specially Crafted Combination of Resource Records can cause a Lockup in the DNS Service

CERT NUMBER: CVE-2012-5166

A vulnerability has been announced by the ISC (Internet Systems Consortium) - CVE-2012-5166 which affects ISC BIND.

Short Description:

If specific combinations of RDATA are loaded into a DNS server, either via cache or an authoritative zone, a subsequent query for a related record will cause DNS service to lock up.

A DNS server that has become locked-up, due to the problem reported in this advisory, will not respond to queries or control commands. Normal functionality cannot be restored except by terminating and restarting DNS service.

This vulnerability can be exploited remotely against recursive servers by inducing them to query for records provided by an authoritative server. It affects authoritative servers if one of the combinations of resource records is loaded from file, provided via zone transfer, or submitted to a zone via dynamic update.

Affected Adonis Versions:

BlueCat Networks' assessment of CVE-2012-5166 has determined that all versions of Adonis are affected. Patches for all supported versions have been released. Please visit Care for more information.

Queries for DNS Records Larger than 65535 Bytes can Cause DNS to Fail

CERT NUMBER: CVE-2012-4244

A vulnerability has been announced by the ISC (Internet Systems Consortium) - CVE-2012-4244 which affects ISC BIND.

Short Description:

If a record with RDATA in excess of 65335 bytes is loaded into a name server, a subsequent query for that record will cause the name server to exit with an assertion failure.

This vulnerability can be exploited remotely against recursive servers by inducing them to query for records provided by an authoritative server. It affects authoritative servers if a zone containing this type of resource record is loaded from file or provided via zone transfer.

Affected Adonis Versions:

BlueCat Networks' assessment of CVE-2012-4244 has determined that all versions of Adonis are affected. Patches for all supported versions have been released. Please visit Care to download the patch applicable to your current Adonis software release.

July 2012

An Error in the Handling of Malformed Client Identifiers for DHCPv6 can Cause a Denial-of-Service Condition in Affected Servers

CERT NUMBER: CVE-2012-3570

A vulnerability has been announced by the ISC (Internet Systems Consortium) - CVE-2012-3570 which affects ISC DHCP.

Short Description:

An error in the handling of malformed client identifiers can cause a DHCPv6 server running affected versions to enter a state where further client requests are not processed and the server process loops endlessly, consuming all available CPU cycles and resulting in a denial of service.

Under normal circumstances this condition should not be triggered, but a non-conforming or malicious client could deliberately trigger it in a vulnerable server. In order to exploit this condition an attacker must be able to send requests to the DHCPv6 server.

Affected Adonis Versions:

BlueCat Networks assessment of the CVE-2012-3570 security advisory has demonstrated that Adonis appliances, whether physical or virtual, running v4.x, v5.x or v6.x, are not subject to this vulnerability. BlueCat Networks Adonis appliances currently use a version of ISC DHCP that is not affected. There is therefore no need for BlueCat Networks customers to patch their Adonis appliances to address CVE-2012-3570.

An Error in the Handling of Malformed Client Identifiers can Cause a Denial-of-Service Condition in Affected Servers

CERT NUMBER: CVE-2012-3571

A vulnerability has been announced by the ISC (Internet Systems Consortium) - CVE-2012-3571 which affects ISC DHCP.

Short Description:

An error in the handling of malformed client identifiers can cause a DHCP server running affected versions to enter a state where further client requests are not processed and the server process loops endlessly, consuming all available CPU cycles and resulting in a denial of service.

Under normal circumstances this condition should not be triggered, but a non-conforming or malicious client could deliberately trigger it in a vulnerable server. In order to exploit this condition an attacker must be able to send requests to the DHCP server.

BlueCat Networks has released patches for all supported versions. Please visit Care to download the patch applicable to your current Adonis software release.

Thank you for your continuing partnership and cooperation.

Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure in BIND9

CERT NUMBER: CVE-2012-3817

A vulnerability has been announced by the ISC (Internet Systems Consortium) - CVE-2012-3817 which affects ISC BIND.

Short Description:

High numbers of queries with DNSSEC validation enabled can cause an assertion failure in named, caused by using a "bad cache" data structure before it has been initialized.

BIND 9 stores a cache of query names that are known to be failing due to improperly configured name servers or a broken chain of trust. Under high query loads when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure.

BlueCat Networks has released patches for all supported versions. Please visit Care to download the patch applicable to your current Adonis software release.

Thank you for your continuing partnership and cooperation.

High TCP Query Load Can Trigger a Memory Leak in BIND 9

CERT NUMBER: CVE-2012-3868

A vulnerability has been announced by the ISC (Internet Systems Consortium) - CVE-2012-3868 which affects ISC BIND.

Short Description:

Under heavy incoming TCP query loads named experiences a memory leak which may lead to significant reductions in query response performance. Additionally, this can trigger an automatic shutdown if named is running on a system that kills out-of-memory processes.

Affected Adonis Versions:

BlueCat Networks assessment of the CVE-2012-3868 security advisory has demonstrated that Adonis appliances, whether physical or virtual, running v4.x, v5.x or v6.x, are not subject to this vulnerability. BlueCat Networks Adonis appliances currently use a version of ISC BIND that is not affected. There is therefore no need for BlueCat Networks customers to patch their Adonis appliances to address CVE-2012-3868.

Memory leaks found in ISC DHCP

CERT NUMBER: CVE-2012-3954
Short Description:

Two memory leaks have been discovered and fixed in the DHCP code. One of the leaks only affects servers running in DHCPv6 mode. The other is known to affect a server running in DHCPv6 mode but could potentially occur on servers running in DHCPv4 mode as well. In both cases the server can leak a small amount of memory while processing messages. The amount leaked per iteration is small and the leak will not cause problems in many cases. However, on a server running for a long period of time without re-starting or a server handling an extraordinarily high amount of traffic from the clients, the leak could consume all memory available to the DHCP server process, thereby preventing further operation by the DHCP server process and potentially interfering with other services hosted on the same server hardware.

BlueCat Networks has released patches for all supported versions. Please visit Care to download the patch applicable to your current Adonis software release.

Thank you for your continuing partnership and cooperation.

FEBRUARY 2012

Ghost Domain Names: Revoked Yet Still Resolvable

CERT NUMBER: CVE-2012-1033
Summary

ISC has been notified by Haixin Duan (a professor at Tsinghua University in Beijing China, who is currently visiting the International Computer Science Institute (ICSI) at the University of California, Berkeley) about a DNS resolver vulnerability. This vulnerability allows a miscreant to keep a domain name in the cache even after it has been deleted from registration. ISC is evaluating the risk of this vulnerability, but the published paper shows how this was done live across the Internet. It lists several DNS implementations and open resolver deployments as vulnerable.

Short Description:

Tsinghua University researchers discovered " a vulnerability affecting the large majority of popular DNS implementations which allows a malicious domain name to stay resolvable long after it has been removed from the upper level servers." The issue, which is in all versions of BIND 9 to our knowledge, "exploits a vulnerability in DNS cache update policy, which prevents effective domain name revocation. Attackers could cause a malicious domain name to be continuously resolvable even after the delegated data has been deleted from the domain registry and after the TTL associated with entry supposedly expires." (quoted sections are from the Tsinghua University research document)

Workarounds:

Workarounds are under investigation

BlueCat Networks assessment of the CVE-2012-1033 security advisory has demonstrated that Adonis appliances running v4.x, v5.x and v6.x may be subject to this vulnerability. BlueCat Networks is committed to ensuring the security of its DDI solution. We are working closely with ISC to assess the risk of this vulnerability and publish patches within the shortest possible timeframe. In the mean time, we will continue to provide updates both through direct communication and via our public website. Thank you for your continuing partnership and cooperation.

JANUARY 2012

An Error in DDNS Processing of DHCPv6 Leases Can Cause a Crash in ISC dhcpd

CERT NUMBER: CVE-2011-4868

Summary A vulnerability has been announced by the ISC (Internet Systems Consortium) — CVE-2011-4868 which affects ISC DHCP.

Short Description:

Due to improper handling of a DHCPv6 lease structure, ISC DHCP servers that are serving IPv6 address pools AND using Dynamic DNS can encounter a segmentation fault error while updating lease status under certain conditions. The potential exists for this condition to be intentionally triggered, resulting in effective denial of service to clients expecting service from the affected server. Users of affected versions who use DHCPv6 and Dynamic DNS should upgrade to version 4.2.3-P2.

BlueCat Networks assessment of the CVE-2011-4868 security advisory has demonstrated that Adonis appliances, whether physical or virtual, running v4.x, v5.x or v6.x, are not subject to this vulnerability. BlueCat Networks Adonis appliances currently use a version of ISC DHCP that is not affected. There is therefore no need for BlueCat Networks customers to patch their Adonis appliances to address CVE-2011-4868.

Please visit Care for more information.

Back to Top

DECEMBER 2011

ISC DHCP Regular Expressions Segfault

CERT NUMBER: CVE-2011-4539

A vulnerability has been announced by the ISC (Internet Systems Consortium) — CVE-2011-4539 which affects ISC DHCP.

Short Description:

Segmentation fault from dhcpd while processing an evaluated regular expression.

A bug exists which allows an attacker who is able to send DHCP Request packets, either directly or through a relay, to remotely crash an ISC DHCP server if that server is configured to evaluate expressions using a regular expression (i.e. uses the "~=" or "~~" comparison operators.). Further details are being withheld to allow administrators of affected systems time to patch. You are potentially vulnerable if you use regular expression comparison operators in your dhcpd.conf

Affected DHCP Versions:

4.0.x and higher, including all EOL versions back to 4.0, 4.1-ESV, and 4.2.x

BlueCat Networks has released patches for all supported versions. Please visit Care (https://care.bluecatnetworks.com) to download the patch applicable to your current Adonis software release.

Thank you for your continuing partnership and cooperation.

NOVEMBER 2011

ISC BIND Resolver Crash

CERT NUMBER: CVE-2011-4313
Short Description:

Organizations have reported crashes interrupting service on BIND 9 nameservers performing RECURSIVE queries. Affected servers crashed after logging an error in query.c with the following message: "INSIST(! dns_rdataset_isassociated(sigrdataset))"

Affected BIND Versions:

BIND 9.4-ESV-R, BIND 9.6-ESV-R, BIND 9.7, BIND 9.8

Workarounds:

For workaround details and patch release timing please visit  CARE (https://care.bluecatnetworks.com) and  consult Knowledge Base article #2923.

AUGUST 2011

ISC DHCP Server Halt

CERT NUMBERS: CVE-2011-2748 and CVE-2011-2749

Summary:
Two vulnerabilities in DHCP have been announced by the ISC (Internet Systems Consortium) —CVE-2011-2748 and CVE-2011-2749 — which affect all currently supported versions of Adonis DNS/DHCP software.  BlueCat Networks has released patches for all supported Adonis versions. Please visit Care (https://care.bluecatnetworks.com) to download the patch applicable to your current Adonis software release.

Short Description:

A pair of defects cause the server to halt upon processing certain packets.

Affected DHCP Versions:

ISC DHCP versions 3.1.0 through 3.1-ESV-R1 (R2 never released), 4.0 all versions (EOL), 4.1.0 through 4.1.2rc1, 4.1-ESV through 4.1-ESV-R3b1, and 4.2.0 through 4.2.2rc1.

For more information on Adonis appliances, please contact us via Care (https://care.bluecatnetworks.com) and we'll be happy to assist you. Thank you for your continuing partnership and cooperation.

JULY 2011

ISC BIND 9 Remote packet Denial of Service against Authoritative and Recursive Servers

CERT NUMBER:CVE-2011-2464
Short Description:

A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet. This defect affects both recursive and authoritative servers. The code location of the defect makes it impossible to protect BIND using ACLs configured within named.conf or by disabling any features at compile-time or run-time.

BlueCat Networks has released patches for all supported versions impacted by CVE-2011-2464. Please visit Care (https://care.bluecatnetworks.com) to download the patch applicable to your current Adonis software release.

ISC BIND 9 Remote Crash with Certain RPZ Configurations

CERT NUMBER: CVE-2011-2465
Short Description:

A defect in the affected versions of BIND could cause the "named" process to exit when queried, if the server has recursion enabled and was configured with an RPZ zone containing certain types of records. Specifically, these are any DNAME record and certain kinds of CNAME records.

BlueCat Networks assessment of the CVE-2011-2465 security advisory has demonstrated that Adonis appliances, whether physical or virtual, running v4.x, v5.x or v6.x, are not subject to this vulnerability. BlueCat Networks Adonis appliances currently use a version of ISC BIND that is not affected. There is therefore no need for BlueCat Networks customers to patch their Adonis appliances to address CVE-2011-2465.

For more information on Adonis appliances, please contact us via Care care.bluecatnetworks.com and we'll be happy to assist you. Thank you for your continuing partnership and cooperation.

MAY 2011

Large RRSIG RRsets and Negative Caching can crash named

CERT NUMBER: CVE-2011-1910

A vulnerability has been announced by the ISC (Internet Systems Consortium) — CVE-2011-1910 which affects ISC BIND versions·9.4-ESV-R3 and later, 9.6-ESV-R2 and later,·9.6.3, 9.7.1 and later, 9.8.0 and later

ISC Security Advisory provides the following description:

Short Description:

DNS systems use negative caching to improve DNS response time. This·will keep a DNS resolver from repeatedly looking up domains that do·not exist. Any NXDOMAIN or NODATA/NOERROR response will be put into

the negative cache.

The authority data will be cached along with the negative cache·information. These authoritative Start of Authority (SOA) and·NSEC/NSEC3 records prove the nonexistence of the requested name/type.

In DNSSEC, all of these records are signed; this adds one additional·RRSIG record, per DNSSEC key, for each record returned in the·authority section of the response.

In this vulnerability, very large RRSIG RRsets included in a negative·cache can trigger an assertion failure that will crash named (BIND 9·DNS) due to an off-by-one error in a buffer size check.

The nature of this vulnerability would allow remote exploit. An·attacker can set up an DNSSEC signed authoritative DNS server with a·large RRSIG RRsets to act as the trigger. The attacker would then find·ways to query an organization's caching resolvers, using the negative·caches and then "trigger" the vulnerability. The attacker would require·access to an organization's caching resolvers. Access to the resolvers·can be direct (open resolvers), through malware (using a BOTNET to·query negative caches), or through driving DNS resolution (a SPAM run·that has a domain in the E-mail that will cause the client to do look·up a negative cache).

BlueCat Networks has released patches for all supported versions. Please visit Care (https://care.bluecatnetworks.com) to download the patch applicable to your current Adonis software release.

Thank you for your continuing partnership and cooperation.

RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones

CERT NUMBER: CVE-2011-1907

A vulnerability has been announced by the ISC (Internet Systems Consortium) — CVE-2011-1907 which affects ISC BIND versions 9.8.0

ISC Security Advisory provides the following description:

Short Description:

This advisory only affects BIND users who are using the RPZ feature configured for RRset replacement. BIND 9.8.0 introduced Response Policy Zones (RPZ), a mechanism for modifying DNS responses returned by a recursive server according to a set of rules which are either defined locally or imported from a reputation provider. In typical configurations, RPZ is used to force NXDOMAIN responses for untrusted names. It can also be used for RRset replacement, i.e., returning a positive answer defined by the response policy. When RPZ is being used, a query of type RRSIG for a name configured for RRset replacement will trigger an assertion failure and cause the name server process to exit.

BlueCat Networks assessment of this security advisory has demonstrated that Adonis appliances, whether physical or virtual, running v4.x, v5.x or v6.x, are not subject to this vulnerability. BlueCat Networks Adonis appliances currently use a version of ISC DHCP that is not affected. There is therefore no need for BlueCat Networks customers to patch their Adonis appliances.

For more information on Adonis appliances, please contact us via Care·care.bluecatnetworks.com and we'll be happy to assist you. Thank you for your continuing partnership and cooperation.

FEBRUARY 2011

Server Lockup Upon IXFR or DDNS Update Combined with High Query Rate

CERT NUMBER: VU#559980

A vulnerability has been announced by the ISC (Internet Systems Consortium) —VU#559980·—·CVE# 2011-0414·—·which affects ISC BIND versions 9.7.1 – 9.7.2.P3

ISC Security Advisory provides the following description:

Short Description:·

When an authoritative server processes a successful IXFR transfer or a·dynamic update, there is a small window of time during which the·IXFR/update coupled with a query may cause a deadlock to occur. This·deadlock will cause the server to stop processing all requests. A high·query rate and/or a high update rate will increase the probability of·this condition.

BlueCat Networks has released a patch which addresses this vulnerability. This patch applies to the following releases: 6.0.2, 6.1, 6.1.1 and 6.5 and can be obtained from the Care portal at https://care.bluecatnetworks.com

For more information on Adonis appliances, please contact us via Care·care.bluecatnetworks.com and we'll be happy to assist you. Thank you for your continuing partnership and cooperation.

ISC: BIND 9 DNSSEC Validation Fails on new DS record:

(https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record)

On February 4th, 2011, ISC announced that certain versions of BIND are affected by a known bug that will cause DNSSEC validation errors when a new DS record is inserted into a trusted DNSSEC validation tree. These errors occurred when DS record for .NET was inserted into the root. These failures will cause BIND 9 to return SERVFAIL to queries under this newly inserted DS.

When a DS record for .COM is inserted into the root on 31 March 2011, non-upgraded BIND 9 resolvers with DNSSEC validation enabled will have a high probability of being unable to successfully resolve .COM names unless they are restarted.

DNSSEC is not new technology, but its widespread deployment and use have just begun recently. It is critical that operators and enterprises using DNSSEC validation keep DNS servers and tools as up to date as possible.

To address this bug, BlueCat Networks will be posting a patch on its Care site (https://care.bluecatnetworks.com) shortly. We are putting all necessary resources towards the solution and thank you for your continued partnership.

JANUARY 2011

DHCP May Crash After Processing a DHCPv6 Decline Message

CERT NUMBER: VU#686084

A vulnerability has been announced by the ISC (Internet Systems Consortium) —VU#686084·— which affects ISC DHCP versions 4.0.x - 4.2.x.

ISC Security Advisory provides the following description:

Title: "DHCP May Crash After Processing a DHCPv6 Decline Message"

Short Description:·When the DHCPv6 server code processes a message for an address that was·previously declined and internally tagged as abandoned it can trigger an·assert failure resulting in the server crashing. This could be used to·crash DHCPv6 servers remotely. This issue only affects DHCPv6 servers.·DHCPv4 servers are unaffected.

BlueCat Networks assessment of this security advisory has demonstrated that Adonis appliances, whether physical or virtual, running v4.x, v5.x or v6.x, are not subject to this vulnerability. BlueCat Networks Adonis appliances currently use a version of ISC DHCP that is not affected. There is therefore no need for BlueCat Networks customers to patch their Adonis appliances.

Back to Top

NOVEMBER 2010

Multiple ISC BIND vulnerabilities

CERT: VU#706148, VU#837744 and VU#510208

The ISC (Internet Systems Consortium) has announced 3 BIND vulnerabilities. The ISC Security Advisory provides the following descriptions:

CVE: CVE-2010-3613
  • Severity: High
  • Title: BIND cache incorrectly allows a cache entry and a RRSIG for the same type
  • Description: Adding certain types of signed negative responses to cache doesn't clear any matching RRSIG records already in cache. A subsequent lookup of·the cached data can cause named to crash (INSIST).
CVE: CVE-2010-3614
  • Severity: Low
  • Title: BIND, acting as DNSSEC validating resolver, could incorrectly mark zone data as insecure when the zone being queried is undergoing a·key algorithm rollover.
  • Description: BIND, acting as a DNSSEC validator, was determining if the NS RRset is insecure based on a value that could mean either that the RRset is·actually insecure or that there wasn't a matching key for the RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY RRset.

    This can happen when in the middle of a DNSKEY algorithm rollover, when two different algorithms were used to sign a zone but only the new set·of keys are in the zone DNSKEY RRset.·

    See·http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis-02#section-4.2.4 for example scenario.
CVE: CVE-2010-3615
  • Severity: High
  • Title: Using "allow-query" in the "options" or "view" statements to restrict access to authoritative zones has no effect.
  • Description: When named is running as an authoritative server for a zone and receives a query for that zone data, it first checks for allow-query ACLs in·the zone statement, then in that view, then in global options. If none of these exist, it defaults to allowing any query (allow-query {"any"};). With this bug, if the allow-query is not set in the zone statement, it failed to check in view or global options and fell back to the default·of allowing any query. This means that queries that the zone owner did not wish to allow were incorrectly allowed. This bug doesn't affect allow-recursion or allow-query-cache ACLs, since they are not relevant to a zone for which the server is·authoritative.

BlueCat Networks assessment of this security advisory has demonstrated that Adonis appliances, whether physical or virtual, running ·v6.0.1.11 or newer, are·subject to these vulnerabilities. Proteus is not affected.

BlueCat Networks has released a dedicated patch for each affected Adonis software release·which addresses all three vulnerabilities. This patch can be downloaded from BlueCat Networks customer care·portal - Care (https://care.bluecatnetworks.com).

Thank you for your continuing partnership and cooperation.

JUNE 2010

Fencepost Error on Zero-Length Client Identifier

CERT Number: 541921

A vulnerability has been announced by the ISC (Internet Systems Consortium) — CERT: VU#541921 — which affects ISC DHCP versions 4.0.x, 4.1.x and 4.2.x.

ISC Security Advisory provides the following description:

Title: "Fencepost error on zero-length client identifier"

Short Description: A request from a client containing a zero length client id will cause the server to exit.

BlueCat Networks assessment of this security advisory has demonstrated that Adonis appliances, whether physical or virtual, running v4.x, v5.x or v6.x, are not subject to this vulnerability. BlueCat Networks Adonis appliances currently use a version of ISC DHCP that is not affected. There is therefore no need for BlueCat Networks customers to patch their Adonis appliances.

For more information on Adonis appliances, please contact us via Care care.bluecatnetworks.com and we'll be happy to assist you. Thank you for your continuing partnership and cooperation.

Back to Top

MARCH 2010

SSL MITM Renegotiation Attack

CVE Number: 2009-3555 CERT Number: 120541

The US-CERT (US Computer Emergency Readiness Team) has announced a vulnerability· – http://www.kb.cert.org/vuls/id/120541 - which affects all versions of Proteus from v 2.5.2 to v. 3.0.2.19 inclusive.

US-CERT provides the following description:

The Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, and LAPD. A vulnerability in the way SSL and TLS protocols allow renegotiation requests may allow an attacker to inject plaintext into an application protocol stream. This could result in the attacker being able to issue commands to the server that appear to come from a legitimate source.

BlueCat Networks has released a patch which addresses this vulnerability. You can obtain this patch from the Care portal at https://care.bluecatnetworks.com

NTPD DoS Vulnerability

CVE Number: 2009-3563 CERT Number: 568372

The US-CERT (US Computer Emergency Readiness Team) has announced a vulnerability· – http://www.kb.cert.org/vuls/id/568372 - which affects the following versions:

  • Adonis v.5.5.2 up to but not including v 6.1
  • Proteus versions v.2.5.2 to v.3.1 inclusive

The ntpd daemon is an implementation of the Network Time Protocol (NTP) that is used to synchronize the time of a computer system to a reference time source. US-CERT provides the following description:ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.

If an attacker can spoof such a request or error response packet from a source IP of an affected ntpd to the same or a different affected ntpd, the host(s) will endlessly send error responses to each other and log each event, consuming network bandwidth, CPU usage, and possibly disk space.

BlueCat Networks has released a patch which addresses this vulnerability. You can obtain this patch from the Care portal at https://care.bluecatnetworks.com

JANUARY 2010

BIND 9 DNSSEC validation code could cause bogus NXDOMAIN responses

A vulnerability has been announced by the US-CERT (US Computer Emergency Readiness Team) – http://www.kb.cert.org/vuls/id/360341 - which affects the version of BIND running in versions 6.x of Adonis.

US-CERT provides the following description:The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (http://www.isc.org/) (ISC). There was an error in the DNSSEC NSEC/NSEC3 validation code that could cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records proven by NSEC or NSEC3 to exist) to be cached as if they had validated correctly, so that future queries to the resolver would return the bogus NXDOMAIN with the AD flag set.

Adonis systems running versions 6.x are vulnerable.

BlueCat has released a patch which addresses this vulnerability (US CERT VU #360341), that patches Adonis 6.x systems to ISC BIND version 9.6.1-P3, which mitigates this vulnerability. This patch can be acquired by contacting BlueCat Networks via the Customer Care Portal.

BIND 9 Cache Update from Additional Section – US

CERT VU# 418861 (Updated January 19, 2010)

A vulnerability has been announced by the US-CERT (US Computer Emergency Readiness Team) – http://www.kb.cert.org/vuls/id/418861 - which affects the version of BIND running in versions 6.x of Adonis.

US-CERT provides the following description:

A nameserver with DNSSEC validation enabled may incorrectly add unauthenticated records to its cache that are received during the resolution of a recursive client query with checking disabled (CD), or when the nameserver internally triggers a query for missing records for recursive name resolution. Cached records can be returned in response to subsequent client queries with or without requesting DNSSEC records (DO). In addition, some of them can be returned to queries with or without checking disabled (CD).

*Severity: Medium (SEVERE for nameservers with DNSSEC validation enabled)

Previously a patch had been release, updating vulnerable Adonis 6.x versions to ISC BIND 9.6.1-P2. However, those fixes were found to be incomplete by ISC, and as such have released BIND version 9.6.1-P3

Adonis systems running versions 6.x are vulnerable.

BlueCat has released a patch which addresses this vulnerability (US CERT VU #418861), that patches Adonis 6.x systems to ISC BIND version 9.6.1-P3, which mitigates this vulnerability. This patch can be acquired by contacting BlueCat Networks via the Customer Care Portal.

NOVEMBER 2009

BIND 9 Cache Update From Additional Section

The ISC (Internet Systems Consortium), developers of the BIND DNS server, has announced a vulnerability which affects the version of BIND running in versions 6.x of Adonis.

This is a potential security risk that only affects customers that allow recursive DNS queries and are performing DNSSEC validation.

BlueCat has a patch available for Adonis that will upgrade the underlying instance of ISC BIND to the relevant patched version of the software, now released by ISC, to mitigate this issue. This patch addresses the vulnerability by incorporating the ISC BIND patch which addresses CERT VU#418861.

For Adonis versions 6.x, click the link below to access the patch and installation instructions.

ftp://adonis:Ad0n1s!@supportftp.bluecatnetworks.com/patch112409

JULY 2009

A vulnerability has been announced by the US-CERT (US Computer Emergency Readiness Team) – http://www.kb.cert.org/vuls/id/725188 - which affects the version of BIND running in versions 4.x, 5.x, and 6.x of Adonis.

US-CERT provides the following description:

The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (http://www.isc.org/) (ISC). It includes support for dynamic DNS updates as specified in IETF RFC 2136 (http://tools.ietf.org/html/rfc2136) . BIND 9 can crash when processing a specially-crafted dynamic update packet. ISC notes that this vulnerability affects all servers and is not limited to those that are configured to allow dynamic updates.

BlueCat is working diligently to release an update to Adonis that will upgrade the underlying the instance of ISC BIND to the relevant patched version of the software, now released by ISC, which will mitigate this issue. An announcement will be made as soon as this is available.

Note: If you have xHA (Crossover High Availability) enabled, the cluster will failover if attacked. This should somewhat prevent service interruption until a patch is made available.

Once receiving this announcement customers are strongly encouraged to patch their severs immediately, as there is no viable workaround for this issue.

JANUARY 2009

On January 18, 2009, the SANS Internet Storm Center reported the first instances of what is now being described as a DNS DDOS (distributed denial of service) attack (see http://isc.sans.org/diary.html?storyid=5713).

The attack is simple: the attacker spoofs the victim's source address in a DNS query for '.' (dot) to a DNS server, which then generates a much larger response to be sent to the victim. This is also known as an amplification attack whereby the attacker's traffic is amplified 10-fold by the natural DNS response. The purpose of the attack is to generate as much traffic as possible to victim's system (the spoofed address used) or network.

It is also quite likely that the owner or administrators of the participating DNS server are completely unaware that their system is being used in this way. In fact, if the queries are successfully answered, then most logging levels will not report this activity at all.

The attack takes advantage of certain configurations on the part of the participating DNS server. This includes all BIND and Microsoft DNS servers.

For Adonis, the results are as follows:

v5.5.0 and v5.5.1With recursion enabled:

Check that "allow-query-cache" is not set to allow more than "allow-recursion". If they do not conflict, then the server will deny the request and defeat the attack.

With recursion not enabled:

Set additional-from-cache no; the server will deny the request and defeat the attack.

v5.1With recursion enabled:

The system will respond to these requests regardless of any other settings. We recommend disabling recursion on external facing Adonis systems.

With recursion disabled:

Set additional-from-cache no, set additional-from-auth no; the server will deny the request and defeat the attack.

You can also see various other mechanisms to detect and protect against this attack on the SAN site (see http://isc.sans.org/diary.html?storyid=5713).

Neither ISC nor CERT have issued any advisories, vulnerability or other notices, indicating that this is not considered a major problem. Reports on the incidence of attacks have been low in number.

If you have special concerns, please contact BlueCat support at support@bluecatnetworks.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

Back to Top

JULY 2008

A vulnerability has been announced by the US-CERT (US Computer Emergency Readiness Team) — http://www.kb.cert.org/vuls/id/800113 — which affects the version of BIND running in versions 4.x and 5.x of Adonis.

US-CERT provides the following description:

"Deficiencies in the DNS protocol and common DNS implementations facilitate DNS cache poisoning attacks. […] The following are examples of these deficiencies and defects:

  • Insufficient transaction ID space
  • Multiple outstanding requests
  • Fixed source port for generating queries"

BlueCat has released updates to Adonis v4 and v5 that will upgrade the underlying the instance of BIND DNS server to the latest release of the software, now released by ISC, which will mitigate this issue. Customers can obtain more information on how to download and apply the patch in the self-service portal or by contacting support.

To further mitigate the risk associated with this issue, customers are encouraged to do one, or all, of the following:

1. Disable recursion

Disable recursion by way of Access Control Lists to only allow trusted systems to perform recursive queries. If recursion is unnecessary it should be turned off until systems can be patched.

2. Restrict access

Administrators, particularly those who are unable to apply a patch, can limit exposure to this vulnerability by restricting sources that can ask for recursion. Note that restricting access will still allow attackers with access to authorized hosts to exploit this vulnerability.

3. Filter traffic at network perimeters

Because the ability to spoof IP addresses is necessary to conduct these attacks, administrators should filter spoofed addresses at the network perimeter. IETF Request for Comments (RFC) documents RFC 2827, RFC 3704, and RFC 3013 describe best current practices (BCPs) for implementing this defense. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.

For information on this US CERT Vulnerability, please refer to http://www.kb.cert.org/vuls/id/800113.

To obtain more information to correct this BIND vulnerability, please logon to the BlueCat support portal or contact support@bluecatnetworks.comThis e-mail address is being protected from spambots. You need JavaScript enabled to view it .

Back to Top
Scroll Up