ISC BIND 9.0.x, 9.1.x, 9.2.0 up to 9.2.7, 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (exit) via a type * (ANY) DNS query response that contains multiple RRsets, which triggers an assertion error, aka the "DNSSEC Validation" vulnerability.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2007-0057 advisory.

    [30:9.3.3-8]
     - added fix for #224445 - CVE-2007-0493 BIND might crash after        attempting to read free()-ed memory
     - added fix for #225229 - CVE-2007-0494 BIND dnssec denial of service
     - Resolves: rhbz#224445
     - Resolves: rhbz#225229

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2007:0044 :

Updated bind packages that fix a security issue and a bug are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols.

A flaw was found in the way BIND processed certain DNS query responses. On servers that had enabled DNSSEC validation, this could allow an remote attacker to cause a denial of service. (CVE-2007-0494)

For users of Red Hat Enterprise Linux 3, the previous BIND update caused an incompatible change to the default configuration that resulted in rndc not sharing the key with the named daemon. This update corrects this bug and restores the behavior prior to that update.

Updating the bind package in Red Hat Enterprise Linux 3 could result in nonfunctional configuration in case the bind-libs package was not updated. This update corrects this bug by adding the correct dependency on bind-libs.

Users of BIND are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

The remote host is missing AIX PTF U804534, which is related to the security of the package bos.net.tcp.client.

The remote host is missing AIX PTF U803849, which is related to the security of the package bos.net.tcp.client.

The remote host is missing AIX PTF U800591, which is related to the security of the package bos.net.tcp.client.

The version of BIND installed on the remote host suggests that it suffers from a denial of service vulnerability that could be triggered by sending a large volume of recursive queries that return multiple RRsets in the answer section, triggering assertion checks. To be vulnerable you need to have enabled DNSSEC validation in named.conf by specifying trusted-keys.

Note that Nessus obtained the version by sending a special DNS request for the text 'version.bind' in the domain 'chaos', the value of which can be and sometimes is tweaked by DNS administrators.

Problems addressed by these patches :

I    Arbitrary code execution and denial of service vulnerabilities

     This release fixes a security vulnerability that could allow a      guest operating system user with administrative privileges to cause      memory corruption in a host process, and thus potentially execute      arbitrary code on the host. (CVE-2007-4496)

     This release fixes a denial of service vulnerability that could      allow a guest operating system to cause a host process to become      unresponsive or exit unexpectedly. (CVE-2007-4497)

     Thanks to Rafal Wojtczvk of McAfee for identifying and reporting      these issues.

II   Hosted products DHCP security vulnerabilities addressed

     This release fixes several vulnerabilities in the DHCP server      that could enable a specially crafted packets to gain system-level      privileges. (CVE-2007-0061, CVE-2007-0062, CVE-2007-0063)

     Thanks to Neel Mehta and Ryan Smith of the IBM Internet Security      Systems X-Force for discovering and researching these      vulnerabilities.

III  Windows based hosted product vulnerability in      IntraProcessLogging.dll and vielib.dll.

     This release fixes a security vulnerability that could allow a      malicious remote user to exploit the library file      IntraProcessLogging.dll to overwrite files in a system.
     (CVE-2007-4059)

     This release fixes a security vulnerability that could allow a      malicious remote user to exploit the library file vielib.dll to      overwrite files in a system. (CVE-2007-4155)

     Thanks to the Goodfellas Security Research Team for discovering and      researching these vulnerabilities.

IV  Escalation of privileges on Windows hosted systems

     This release fixes a security vulnerability in which Workstation      was starting registered Windows services in an insecure manner.
     This vulnerability could allow a malicious user to escalate user      privileges.

     Thanks to Foundstone for discovering this vulnerability.

V    Potential denial of service using VMware Player

     This release fixes a problem that prevented VMware Player from      launching. This problem was accompanied by the error message VMware      Player unrecoverable error: (player) Exception 0xc0000005 (access      violation) has occurred.

VI   ESX Service Console updates

a.   Service console package Samba, has been updated to address the      following issues :

     Various bugs were found in NDR parsing, used to decode MS-RPC      requests in Samba. A remote attacker could have sent carefully      crafted requests causing a heap overflow, which may have led to the      ability to execute arbitrary code on the server. (CVE-2007-2446)

     Unescaped user input parameters were being passed as arguments to      /bin/sh. A remote, authenticated, user could have triggered this      flaw and executed arbitrary code on the server. Additionally, this      flaw could be triggered by a remote unauthenticated user if Samba      was configured to use the non-default username map script option.
     (CVE-2007-2447)

     Thanks to the Samba developers, TippingPoint, and iDefense for      identifying and reporting these issues.

     Note: These issues only affect the service console network, and are      not remote vulnerabilities for ESX Server hosts that have been set      up with the security best practices provided by VMware.
     http://www.vmware.com/resources/techresources/726

b.   Updated bind package for the service console fixes a flaw with the      way ISC BIND processed certain DNS query responses.

     ISC BIND (Berkeley Internet Name Domain) is an implementation of      the DNS (Domain Name System) protocols. Under some circumstances, a      malicious remote user could launch a Denial-of-Service attack on      ESX Server hosts that had enabled DNSSEC validation.
     (CVE-2007-0494)

     Note: These issues only affect the service console network, and are      not remote vulnerabilities for ESX Server hosts that have been set      up with the security best practices provided by VMware.
     http://www.vmware.com/resources/techresources/726

c.   This patch provides updated service console package krb5 update.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)      assigned the names CVE-2007-2442, CVE-2007-2443, and CVE-2007-2798      to these security issues.

     Thanks to Wei Wang of McAfee Avert Labs discovered these      vulnerabilities.

     Note: The VMware service console does not provide the kadmind      binary, and is not affected by these issues, but a update has been      provided for completeness.

d.   Service console update for vixie-cron

     This patch provides an updated service console package vixie-cron.
     Cron is a standard UNIX daemon that runs specified programs at      scheduled times.

     A denial of service issue was found in the way vixie-cron verified      crontab file integrity. A local user with the ability to create a      hardlink to /etc/crontab could potentially prevent vixie-cron from      executing certain system cron jobs. (CVE-2007-1856)

     Thanks to Raphael Marichez for identifying this issue.

e.   Service console update for shadow-utils

     This patch provides an updated shadow-utils package.  A new      user's mailbox, when created, could have random permissions for a      short period. This could enable a local malicious user to      read or modify the mailbox. (CVE-2006-1174)

f.  Service console update for OpenLDAP

     This patch provides a updated OpenLDAP package. A flaw could      allow users with selfwrite access to modify the distinguished      name of any user, instead of being limited to modify only      their own distinguished name. (CVE-2006-4600)

g.   Service console update for PAM

     This patch provides an updated PAM package A vulnerability was      found that could allow console users with access to certain device      files to cause damage to recordable CD drives. Certain file      permissions have now been modified to disallow access.
     (CVE-2004-0813)

     A flaw was found with console device permissions. It was possible      for various console devices to retain ownership of the previoius      console user after logging out, which could result in leakage of      information to an unauthorized user. (CVE-2007-1716)

h.   Service console update for GCC

     This patch provides security fixes for the service console GNU      Compiler Collection (GCC) packages that include C, C++, Java,      Fortran 77, Objective C, and Ada 95 GNU compilers and related      support libraries.

     A flaw was found in the fastjar utility that could potentially      allow a malicious user to create a JAR file which, if unpacked      using fastjar, could write to any file that an authorized user had      write access to. (CVE-2006-3619)

     Thanks to J&uuml;rgen Weigert for identifying this issue.

i.   Service Console update for GDB

     This patch provides a security fix for the service console GNU      debugger (GDB).  Various vulnerabilities were found in GDB. These      vulnerabilities may allow a malicious user to deceive a user into      loading debugging information into GDB, enabling the execution of      arbitrary code with the privileges of the user. (CVE-2006-4146)

A flaw was discovered in Bind's DNSSEC validation code. Remote attackers could send a specially crafted DNS query which would cause the Bind server to crash, resulting in a denial of service. Only servers configured to use DNSSEC extensions were vulnerable.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

s700_800 11.23 Bind 9.2.0 components : 

Potential vulnerabilities have been identified with HP-UX running BIND. The vulnerabilities could be exploited remotely to create a Denial of Service (DoS). References: CVE-2006-4339, CVE-2007-0493 (BIND v9.3.2 only), CVE-2007-0494.

Updated bind packages that fix a security issue and a bug are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols.

A flaw was found in the way BIND processed certain DNS query responses. On servers that had enabled DNSSEC validation, this could allow a remote attacker to cause a denial of service. (CVE-2007-0494)

A use-after-free flaw was found in BIND. On servers that have recursion enabled, this could allow a remote attacker to cause a denial of service. (CVE-2007-0493)

Users of BIND are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

The remote host is running a version of Mac OS X 10.4 or 10.3 that does not have Security Update 2007-005 applied. 

This update fixes security flaws in the following applications :

Alias Manager BIND CoreGraphics crontabs fetchmail file iChat mDNSResponder PPP ruby screen texinfo VPN

A type * (ANY) query response containing multiple RRsets can trigger an assertion failure.

Certain recursive queries can cause the nameserver to crash by using memory which has already been freed. Impact : A remote attacker sending a type * (ANY) query to an authoritative DNS server for a DNSSEC signed zone can cause the named(8) daemon to exit, resulting in a Denial of Service.

A remote attacker sending recursive queries can cause the nameserver to crash, resulting in a Denial of Service. Workaround : There is no workaround available, but systems which are not authoritative servers for DNSSEC signed zones are not affected by the first issue; and systems which do not permit untrusted users to perform recursive DNS resolution are not affected by the second issue. Note that the default configuration for named(8) in FreeBSD allows local access only (which on many systems is equivalent to refusing access to untrusted users).

New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix denial of service security issues.
Versions of bind-9.2.x older than bind-9.2.8, and versions of bind-9.3.x older than 9.3.4 can be made to crash with malformed local or remote data.

Use-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (named daemon crash) via unspecified vectors that cause named to 'dereference a freed fetch context.' (CVE-2007-0493)

ISC BIND 9.0.x, 9.1.x, 9.2.0 up to 9.2.7, 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (exit) via a type * (ANY) DNS query response that contains multiple RRsets, which triggers an assertion error. (CVE-2007-0494)

The updated packages have been patched to correct these issues.

The remote host is affected by the vulnerability described in GLSA-200702-06 (BIND: Denial of Service)

    An unspecified improper usage of an already freed context has been     reported. Additionally, an assertion error could be triggered in the     DNSSEC validation of some responses to type ANY queries with multiple     RRsets.
  Impact :

    A remote attacker could crash the server through unspecified vectors     or, if DNSSEC validation is enabled, by sending certain crafted ANY     queries.
  Workaround :

    There is no known workaround at this time for the first issue. The     DNSSEC validation Denial of Service can be prevented by disabling     DNSSEC validation until the upgrade to a fixed version. Note that     DNSSEC validation is disabled on a default configuration.

Updated bind packages that fix a security issue and a bug are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols.

A flaw was found in the way BIND processed certain DNS query responses. On servers that had enabled DNSSEC validation, this could allow an remote attacker to cause a denial of service. (CVE-2007-0494)

For users of Red Hat Enterprise Linux 3, the previous BIND update caused an incompatible change to the default configuration that resulted in rndc not sharing the key with the named daemon. This update corrects this bug and restores the behavior prior to that update.

Updating the bind package in Red Hat Enterprise Linux 3 could result in nonfunctional configuration in case the bind-libs package was not updated. This update corrects this bug by adding the correct dependency on bind-libs.

Users of BIND are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

Fixed two security bugs

  - DNSSEC denial of service

    - BIND might crash after attempting to read free()-ed       memory

and some common bugs

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated to version 9.3.4 which contains two security bugfixes

  - Serialise validation of type ANY responses. [RT #16555]

    - It was possible to dereference a freed fetch context.
      [RT #16584]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Bind name server daemon is vulnerable to denial of service by triggering an assertion through a crafted DNS query. This only affects installations which use the DNSSEC extentions.

ID	Name	Product	Family	Severity
67445	Oracle Linux 5 : Moderate: / bind (ELSA-2007-0057)	Nessus	Oracle Linux Local Security Checks	high
67444	Oracle Linux 3 / 4 : bind (ELSA-2007-0044)	Nessus	Oracle Linux Local Security Checks	medium
65283	AIX 5.3 TL 7 : bos.net.tcp.client (U804534)	Nessus	AIX Local Security Checks	medium
65277	AIX 5.2 TL 10 : bos.net.tcp.client (U803849)	Nessus	AIX Local Security Checks	medium
65266	AIX 5.3 TL 6 : bos.net.tcp.client (U800591)	Nessus	AIX Local Security Checks	medium
17840	ISC BIND Crafted ANY Request Response Multiple RRsets DoS	Nessus	DNS	medium
40370	VMSA-2007-0006 : Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player	Nessus	VMware ESX Local Security Checks	critical
28010	Ubuntu 5.10 / 6.06 LTS / 6.10 : bind9 vulnerabilities (USN-418-1)	Nessus	Ubuntu Local Security Checks	high
26138	HP-UX PHNE_35920 : HP-UX Running BIND, Remote Denial of Service (DoS) (HPSBUX02219 SSRT061273 rev.1)	Nessus	HP-UX Local Security Checks	high
25313	RHEL 5 : bind (RHSA-2007:0057)	Nessus	Red Hat Local Security Checks	high
25297	Mac OS X Multiple Vulnerabilities (Security Update 2007-005)	Nessus	MacOS X Local Security Checks	critical
24730	FreeBSD : bind -- Multiple Denial of Service vulnerabilities (3cb6f059-c69d-11db-9f82-000e0c2e438a)	Nessus	FreeBSD Local Security Checks	high
24667	Slackware 10.0 / 10.1 / 10.2 / 11.0 / 8.1 / 9.0 / 9.1 : bind (SSA:2007-026-01)	Nessus	Slackware Local Security Checks	high
24643	Mandrake Linux Security Advisory : bind (MDKSA-2007:030)	Nessus	Mandriva Local Security Checks	high
24367	GLSA-200702-06 : BIND: Denial of Service	Nessus	Gentoo Local Security Checks	high
24318	RHEL 2.1 / 3 / 4 : bind (RHSA-2007:0044)	Nessus	Red Hat Local Security Checks	medium
24300	Fedora Core 5 : bind-9.3.4-1.fc5 (2007-164)	Nessus	Fedora Local Security Checks	high
24299	Fedora Core 6 : bind-9.3.4-1.fc6 (2007-147)	Nessus	Fedora Local Security Checks	high
24293	Debian DSA-1254-1 : bind9 - insufficient input sanitising	Nessus	Debian Local Security Checks	high
24289	CentOS 3 / 4 : bind (CESA-2007:0044)	Nessus	CentOS Local Security Checks	medium

Detections

Analytics

CVE-2007-0494

high

Tenable Plugins

high

medium

medium

medium

medium

medium

critical

high

high

high

critical

high

high

high

high

medium

high

high

high

medium