Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

 A critical defect in BIND 9 allows an attacker to cause excessive memory
          consumption in named or other programs linked to libdns
                               27 March 2013


        AusCERT Security Bulletin Summary

Product:           BIND
Publisher:         ISC
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-2266  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

A critical defect in BIND 9 allows an attacker to cause excessive
memory consumption in named or other programs linked to libdns.

CVE:                  CVE-2013-2266
Document Version:     2.0
Posting date:         26 March 2013
Program Impacted:     BIND
Versions affected:    "Unix" versions of  BIND 9.7.x, 9.8.0 -> 9.8.5b1,
                       9.9.0 -> 9.9.3b1.  (Windows versions are not
                       Versions of BIND 9 prior to BIND 9.7.0 (including
                       BIND 9.6-ESV) are not affected.  BIND 10 is
                       not affected.)

Severity:             Critical
Exploitable:          Remotely


    A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled
    on Unix and related operating systems, allows an attacker to
    deliberately cause excessive memory consumption by the named
    process, potentially resulting in exhaustion of memory resources
    on the affected server.  This condition can crash BIND 9 and
    will likely severely affect operation of other programs running
    on the same machine.

    Please Note: Versions of BIND 9.7 are beyond their "end of life"
    (EOL) and no longer receive testing or security fixes from ISC.
    However, the re-compilation method described in the "Workarounds"
    section of this document will prevent exploitation in BIND 9.7
    as well as in currently supported versions.

    For current information on which versions are actively supported,
    please seehttp://www.isc.org/software/bind/versions.

    Additional information is available in the CVE-2013-2266 FAQ and
    Supplemental Information article in the ISC Knowledge base,


    Intentional exploitation of this condition can cause denial of
    service in all authoritative and recursive nameservers running
    affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0
    through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1
    (inclusive)].   Additionally, other services which run on the
    same physical machine as an affected BIND server could be
    compromised as well through exhaustion of system memory.

    Programs using the libdns library from affected versions of BIND
    are also potentially vulnerable to exploitation of this bug if
    they can be forced to accept input which triggers the condition.
    Tools which are linked against libdns (e.g. dig) should also be
    rebuilt or upgraded, even if named is not being used

CVSS Score:  7.8

CVSS Equation:  (AV:N/AC:L/Au:N/C:N/I:N/A:C)

    For more information on the Common Vulnerability Scoring System
    and to obtain your specific environmental score please visit:



    Patched versions are available (see the "Solutions:" section
    below) or operators can prevent exploitation of this bug in any
    affected version of BIND 9 by compiling without regular expression

    Compilation without regular expression support:

       BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1),
       and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely
       safe from this bug by re-compiling the source with regular
       expression support disabled.  In order to disable inclusion
       of regular expression support:

       - After configuring BIND features as desired using the configure
         script in the top level source directory, manually edit the
         "config.h" header file that was produced by the configure

       - Locate the line that reads "#define HAVE_REGEX_H 1" and
         replace the contents of that line with "#undef

       - Run "make clean" to remove any previously compiled object
         files from the BIND 9 source directory, then proceed to
         make and install BIND normally.

Active exploits:

    No known active exploits.


    Compile BIND 9 without regular expression support as described
    in the "Workarounds" section of this advisory or upgrade to the
    patched release most closely related to your current version of
    BIND. These can be downloaded fromhttp://www.isc.org/downloads/all.

    BIND 9 version 9.8.4-P2
    BIND 9 version 9.9.2-P2


    ISC would like to thank Matthew Horsfall of Dyn, Inc. for
    discovering this bug and bringing it to our attention.

Document Revision History:

    1.0 Phase One - Advance Notification, 11 March 2013
    1.1 Phase Two & Three, 25 March 2013
    2.0 Notification to Public (Phase Four), 26 March 2013

Related Documents:

    Japanese Translation:https://kb.isc.org/article/AA-00881
    Spanish Translation:https://kb.isc.org/article/AA-00882
    German Translation:https://kb.isc.org/article/AA-00883
    Portuguese Translation:https://kb.isc.org/article/AA-00884

    See our BIND Security Matrix for a complete listing of Security
    Vulnerabilities and versions affected.

If you'd like more information on our product support please visit

Do you still have questions?  Questions regarding this advisory
should go tosecurity-officer@isc.org


    ISC patches only currently supported versions. When possible we
    indicate EOL versions affected.

ISC Security Vulnerability Disclosure Policy:  Details of our current
security advisory policy and practice can be found here:

This Knowledge Base articlehttps://kb.isc.org/article/AA-00871  is
the complete and official security advisory document.

Legal Disclaimer:

    Internet Systems Consortium (ISC) is providing this notice on
    an "AS IS" basis. No warranty or guarantee of any kind is expressed
    in this notice and none should be implied. ISC expressly excludes
    and disclaims any warranties regarding this notice or materials
    referred to in this notice, including, without limitation, any
    implied warranty of merchantability, fitness for a particular
    purpose, absence of hidden defects, or of non-infringement. Your
    use or reliance on this notice or materials referred to in this
    notice is at your own risk. ISC may change this notice at any
    time.  A stand-alone copy or paraphrase of the text of this
    document that omits the document URL is an uncontrolled copy.
    Uncontrolled copies may lack important information, be out of
    date, or contain factual errors.

(c) 2001-2013 Internet Systems Consortium

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967