JVNVU#795694
ISC BIND にサービス運用妨害 (DoS) の脆弱性

ISC BIND には、サービス運用妨害 (DoS) の脆弱性が存在します。

• 9.4-ESV-R4-P1 より前のバージョン
• 9.6-ESV-R4-P1 より前のバージョン
• 9.7.3-P1 より前のバージョン
• 9.8.0-P2 より前のバージョン

ISC BIND には、RRSIG リソースレコードセットの処理に起因する、サービス運用妨害 (DoS) の脆弱性が存在します。

ISC から、以下の脆弱性情報が公開されています。

"DNS systems use negative caching to improve DNS response time. This will keep a DNS resolver from repeatedly looking up domains that do not exist. Any NXDOMAIN or NODATA/NOERROR response will be put into the negative cache.

The authority data will be cached along with the negative cache information. These authoritative “Start of Authority” (SOA) and NSEC/NSEC3 records prove the nonexistence of the requested name/type. In DNSSEC, all of these records are signed; this adds one additional RRSIG record, per DNSSEC key, for each record returned in the authority section of the response.

In this vulnerability, very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check.

The nature of this vulnerability would allow remote exploit. An attacker can set up a DNSSEC signed authoritative DNS server with large RRSIG RRsets to act as the trigger. The attacker would then find ways to query an organization’s caching resolvers for non-existent names in the domain served by the bad server, getting a response that would “trigger” the vulnerability. The attacker would require access to an organization’s caching resolvers; access to the resolvers can be direct (open resolvers), through malware (using a BOTNET to query negative caches), or through driving DNS resolution (a SPAM run that has a domain in the E-mail that will cause the client to perform a lookup)."

遠隔の第三者からのサービス運用妨害 (DoS) 攻撃を受ける可能性があります。

アップデートする
この問題は、使用している OS のベンダや配布元が提供する修正済みのバージョンに更新することで解決します。
ISC は以下の対策済みバージョンを提供しています。

• 9.4-ESV-R4-P1
• 9.6-ESV-R4-P1
• 9.7.3-P1
• 9.8.0-P2