Current Activity - Internet Systems Consortium BIND Vulnerabilities

[Current Activity <us-cert () us-cert gov>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

US-CERT Current Activity

Internet Systems Consortium BIND Vulnerabilities

Original release date: December 2, 2010 at 9:22 am
Last revised: December 2, 2010 at 9:22 am


The Internet Systems Consortium (ISC) has released three advisories to
address multiple vulnerabilities affecting BIND.

The first advisory, CVE-2010-3613, addresses a vulnerability in BIND
versions 9.6.2 to 9.6.2-P2, 9.6-ESV to 9.6-ESV-R2, and 9.70 to
9.7.2-P2. This vulnerability exists when cache incorrectly allows an
ncache entry and a rrsig for the same type. Exploitation of this
vulnerability may allow a remote attacker to cause a denial-of-service
condition. Additional information regarding this vulnerability can be
found in US-CERT Vulnerability Note VU#706148.

The second advisory, CVE-2010-3614, addresses a vulnerability in BIND
versions 9.0.x to 9.7.2-P2, 9.4-ESV to 9.4-ESV-R3, and 9.6-ESV to
9.6-ESV-R2. This vulnerability exists when "named" incorrectly marks
zone data as insecure when the zone being queried is undergoing a key
algorithm rollover. Exploitation of this vulnerability may allow
answers to be incorrectly marked as insecure. Additional information
regarding this vulnerability can be found in US-CERT Vulnerability
Note VU#837744.

The third advisory, CVE-2010-3615, addresses a vulnerability in BIND
version 9.7.2-P2. This vulnerability is due to the incorrect
processing of "allow-query". Exploitation of this vulnerability may
allow a remote attacker to bypass access restrictions. Additional
information regarding this vulnerability can be found in US-CERT
Vulnerability Note VU#510208.

US-CERT encourages users and administrators to review the advisories
listed above and apply any necessary updates to help mitigate the
risks. Because OpenSSL is often packaged in larger third-party
applications or operating system distributions, users and
administrators should check with their software vendors for updated
versions.

Relevant Url(s):
<https://www.isc.org/software/bind/advisories/cve-2010-3613>

<https://www.isc.org/software/bind/advisories/cve-2010-3615>

<https://www.isc.org/software/bind/advisories/cve-2010-3614>

<http://www.kb.cert.org/vuls/id/510208>

<http://www.kb.cert.org/vuls/id/837744>

<http://www.kb.cert.org/vuls/id/706148>

====
This entry is available at
http://www.us-cert.gov/current/index.html#internet_systems_consortium_bind_vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTPet2T6pPKYJORa3AQJzuAf/RJgT5V0uXdKhfJ1KYLWZJuJyvVvw+Huu
sMdEBDXgeAF9YFDyfd+ocRGKVlcyn6wxXmtyVqMsCS/TbEL7gGH/5wG4SlioF/3r
KbnJy2BDLHTdqGJ6czqoi7eT1RPkK1+1XXtgE8ZwyfWPpE0tMBaxyi9J1LaI28Ex
HnnXCOkoFz8a8gfjQmQhUEERehwjrdUwwg5WOWLfbZ90YmmYSfTtr+FtgAvEglpU
Sr+Sg8vTX2iGndFcrifPGX1BdSanY3JzWqdxnIi/6MfXwDcqHLzqv9Ywvy1pHiPp
80jCymDyiAt0kBG7B0VXQqlWgiCe6vK2vQnur0VpNWCJ3pWqh9JLQw==
=LTaB
-----END PGP SIGNATURE-----