Use-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (named daemon crash) via unspecified vectors that cause named to "dereference a freed fetch context."

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2007-0057 advisory.

    [30:9.3.3-8]
     - added fix for #224445 - CVE-2007-0493 BIND might crash after        attempting to read free()-ed memory
     - added fix for #225229 - CVE-2007-0494 BIND dnssec denial of service
     - Resolves: rhbz#224445
     - Resolves: rhbz#225229

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

A flaw was discovered in Bind's DNSSEC validation code. Remote attackers could send a specially crafted DNS query which would cause the Bind server to crash, resulting in a denial of service. Only servers configured to use DNSSEC extensions were vulnerable.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

s700_800 11.23 Bind 9.2.0 components : 

Potential vulnerabilities have been identified with HP-UX running BIND. The vulnerabilities could be exploited remotely to create a Denial of Service (DoS). References: CVE-2006-4339, CVE-2007-0493 (BIND v9.3.2 only), CVE-2007-0494.

Updated bind packages that fix a security issue and a bug are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols.

A flaw was found in the way BIND processed certain DNS query responses. On servers that had enabled DNSSEC validation, this could allow a remote attacker to cause a denial of service. (CVE-2007-0494)

A use-after-free flaw was found in BIND. On servers that have recursion enabled, this could allow a remote attacker to cause a denial of service. (CVE-2007-0493)

Users of BIND are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

The remote host is running a version of Mac OS X 10.4 or 10.3 that does not have Security Update 2007-005 applied. 

This update fixes security flaws in the following applications :

Alias Manager BIND CoreGraphics crontabs fetchmail file iChat mDNSResponder PPP ruby screen texinfo VPN

A type * (ANY) query response containing multiple RRsets can trigger an assertion failure.

Certain recursive queries can cause the nameserver to crash by using memory which has already been freed. Impact : A remote attacker sending a type * (ANY) query to an authoritative DNS server for a DNSSEC signed zone can cause the named(8) daemon to exit, resulting in a Denial of Service.

A remote attacker sending recursive queries can cause the nameserver to crash, resulting in a Denial of Service. Workaround : There is no workaround available, but systems which are not authoritative servers for DNSSEC signed zones are not affected by the first issue; and systems which do not permit untrusted users to perform recursive DNS resolution are not affected by the second issue. Note that the default configuration for named(8) in FreeBSD allows local access only (which on many systems is equivalent to refusing access to untrusted users).

New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix denial of service security issues.
Versions of bind-9.2.x older than bind-9.2.8, and versions of bind-9.3.x older than 9.3.4 can be made to crash with malformed local or remote data.

Use-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (named daemon crash) via unspecified vectors that cause named to 'dereference a freed fetch context.' (CVE-2007-0493)

ISC BIND 9.0.x, 9.1.x, 9.2.0 up to 9.2.7, 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (exit) via a type * (ANY) DNS query response that contains multiple RRsets, which triggers an assertion error. (CVE-2007-0494)

The updated packages have been patched to correct these issues.

The remote host is affected by the vulnerability described in GLSA-200702-06 (BIND: Denial of Service)

    An unspecified improper usage of an already freed context has been     reported. Additionally, an assertion error could be triggered in the     DNSSEC validation of some responses to type ANY queries with multiple     RRsets.
  Impact :

    A remote attacker could crash the server through unspecified vectors     or, if DNSSEC validation is enabled, by sending certain crafted ANY     queries.
  Workaround :

    There is no known workaround at this time for the first issue. The     DNSSEC validation Denial of Service can be prevented by disabling     DNSSEC validation until the upgrade to a fixed version. Note that     DNSSEC validation is disabled on a default configuration.

Fixed two security bugs

  - DNSSEC denial of service

    - BIND might crash after attempting to read free()-ed       memory

and some common bugs

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated to version 9.3.4 which contains two security bugfixes

  - Serialise validation of type ANY responses. [RT #16555]

    - It was possible to dereference a freed fetch context.
      [RT #16584]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Bind name server daemon is vulnerable to denial of service by triggering an assertion through a crafted DNS query. This only affects installations which use the DNSSEC extentions.

ID	Name	Product	Family	Severity
67445	Oracle Linux 5 : Moderate: / bind (ELSA-2007-0057)	Nessus	Oracle Linux Local Security Checks	high
28010	Ubuntu 5.10 / 6.06 LTS / 6.10 : bind9 vulnerabilities (USN-418-1)	Nessus	Ubuntu Local Security Checks	high
26138	HP-UX PHNE_35920 : HP-UX Running BIND, Remote Denial of Service (DoS) (HPSBUX02219 SSRT061273 rev.1)	Nessus	HP-UX Local Security Checks	high
25313	RHEL 5 : bind (RHSA-2007:0057)	Nessus	Red Hat Local Security Checks	high
25297	Mac OS X Multiple Vulnerabilities (Security Update 2007-005)	Nessus	MacOS X Local Security Checks	critical
24730	FreeBSD : bind -- Multiple Denial of Service vulnerabilities (3cb6f059-c69d-11db-9f82-000e0c2e438a)	Nessus	FreeBSD Local Security Checks	high
24667	Slackware 10.0 / 10.1 / 10.2 / 11.0 / 8.1 / 9.0 / 9.1 : bind (SSA:2007-026-01)	Nessus	Slackware Local Security Checks	high
24643	Mandrake Linux Security Advisory : bind (MDKSA-2007:030)	Nessus	Mandriva Local Security Checks	high
24367	GLSA-200702-06 : BIND: Denial of Service	Nessus	Gentoo Local Security Checks	high
24300	Fedora Core 5 : bind-9.3.4-1.fc5 (2007-164)	Nessus	Fedora Local Security Checks	high
24299	Fedora Core 6 : bind-9.3.4-1.fc6 (2007-147)	Nessus	Fedora Local Security Checks	high
24293	Debian DSA-1254-1 : bind9 - insufficient input sanitising	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2007-0493

high

Tenable Plugins

high

high

high

high

critical

high

high

high

high

high

high

high