DNS보안공지

2009년 7월28일 DNS긴급보안공지

 

1. 현황

BIND Dynamic Update DoS 취약점으로, BIND9버전 업그레이드가 필요합니다.

https://www.isc.org/node/474

 

2. 문제점

보안문제 - 원격에서 서버 데몬 다운시킬수 있음.

BIND Dynamic Update DoS   https://www.isc.org/node/474

CVE:   CVE-2009-0696  
CERT:   VU#725188  
Posting date:   2009-07-28  
Program Impacted:    BIND  
Versions affected:     BIND 9 (all versions)

Severity:   High (심각도 높음)   
Exploitable:   remotely  (원격가능)
Summary:   BIND denial of service (server crash) caused by receipt of a specific remote dynamic update message.  

(BIND DOS로  서버크래쉬로 서비스중단됨)

 

3. 해결방안

아래 3 버전 중 하나로 업그레이드가 필요합니다.

Solution:  Upgrade BIND to one of 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1. These versions can be downloaded from:

http://ftp.isc.org/isc/bind9/9.6.1-P1/bind-9.6.1-P1.tar.gz

http://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz

http://ftp.isc.org/isc/bind9/9.4.3-P3/bind-9.4.3-P3.tar.gz

 

4.  세부 내용

1) 업그레이드 메뉴얼-  소스로 컴파일하여 패치하는법
- Bind 소스로 컴파일법 :
http://cafe.naver.com/dnspro/1408
- Bind 9.4.2 이상으로 업그레이드시 주의점 http://cafe.naver.com/dnspro/8955

 

2) 한글 문서

 1)  안철수에 OS별 업데이트법도 올려져있습니다

 2) 아래 내용에도 있지만, 다이나믹 업데이트를 쓰건 안쓰건 보안문제가 되니 패치가 필요합니다.

# 조치로 소스컴파일하여 업그래이드시 반드시 기존 named 백업하시고 작업하시구요

# 기타 패키지로 업데이트시 named 파일과  named.conf, Zone파일을 반드시 백업후 진행하세요.

 

안철수 보안공지 내용

http://kr.ahnlab.com/virusNIAsecAdvisor_View.ahn?news_dist=02&site_dist=01&category=VNI002&mid_cate=001&sub_cate1=&sub_cate2=&cPage=1&seq=14792&key=&related=

 

3)  세부내용

--------------------------------------------------------------------------------

Description:
Urgent: this exploit is public. Please upgrade immediately.

Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert.

This vulnerability affects all servers that are masters for one or more zones – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround.

dns_db_findrdataset() fails when the prerequisite section of the dynamic update message contains a record of type “ANY” and where at least one RRset for this FQDN exists on the server.

db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
exiting (due to assertion failure).

Workarounds:
None.
(Some sites may have firewalls that can be configured with packet filtering techniques to prevent nsupdate messages from reaching their nameservers.)

Active exploits:
An active remote exploit is in wide circulation at this time.

 

 

ISC releases patched versions of BIND 9 in response to newly-discovered DNS attack
Redwood City, California -- July 28, 2009 -- ISC has published new releases of all current versions BIND 9 in response to CERT Vulnerability Note VU#725188. See this ISC Security Advisory for details and instructions for downloading these releases.

An exploit of this vulnerability was made public at the same time the vulnerability was announced, which makes it especially important to upgrade.

Receipt of a specially-crafted dynamic update message may cause BIND 9 servers to exit. This vulnerability affects all servers – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround.

Some sites may have firewalls that can be configured with packet filtering techniques to prevent nsupdate messages from reaching their nameservers.

 


http://www.kb.cert.org/vuls/id/725188

ISC BIND 9 vulnerable to denial of service via dynamic update request
Overview
ISC BIND 9 contains a vulnerability that may allow a remote, unauthenticated attacker to create a denial-of-service condition.
I. Description
The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). It includes support for dynamic DNS updates as specified in IETF RFC 2136. BIND 9 can crash when processing a specially-crafted dynamic update packet.
ISC notes that this vulnerability affects all servers that are masters for one or more zones and is not limited to those that are configured to allow dynamic updates. ISC also indicates that the attack packet has to be constructed for a zone for which the target system is configured as a master; launching the attack against slave zones does not trigger the vulnerability.

II. Impact
By sending a specially-crafted dynamic update packet to a BIND 9 server, a remote, unauthenticated attacker can cause a denial of service by causing BIND to crash.

III. Solution
Apply an update

Users who obtain BIND from a third-party vendor, such as their operating system vendor, should see the systems affected portion of this document for a partial list of affected vendors.

This vulnerability is addressed in ISC BIND versions 9.4.3-P3, 9.5.1-P3, and BIND 9.6.1-P1. Users of BIND from the original source distribution should upgrade to one of these versions, as appropriate.

See also https://www.isc.org/node/474.

 

수고하세요