-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
A critical defect in BIND 9 allows an attacker to cause excessive memory
consumption in named or other programs linked to libdns
27 March 2013
AusCERT Security Bulletin Summary
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
CVE Names: CVE-2013-2266
- --------------------------BEGIN INCLUDED TEXT--------------------
A critical defect in BIND 9 allows an attacker to cause excessive
memory consumption in named or other programs linked to libdns.
Document Version: 2.0
Posting date: 26 March 2013
Program Impacted: BIND
Versions affected: "Unix" versions of BIND 9.7.x, 9.8.0 -> 9.8.5b1,
9.9.0 -> 9.9.3b1. (Windows versions are not
Versions of BIND 9 prior to BIND 9.7.0 (including
BIND 9.6-ESV) are not affected. BIND 10 is
A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled
on Unix and related operating systems, allows an attacker to
deliberately cause excessive memory consumption by the named
process, potentially resulting in exhaustion of memory resources
on the affected server. This condition can crash BIND 9 and
will likely severely affect operation of other programs running
on the same machine.
Please Note: Versions of BIND 9.7 are beyond their "end of life"
(EOL) and no longer receive testing or security fixes from ISC.
However, the re-compilation method described in the "Workarounds"
section of this document will prevent exploitation in BIND 9.7
as well as in currently supported versions.
For current information on which versions are actively supported,
Additional information is available in the CVE-2013-2266 FAQ and
Supplemental Information article in the ISC Knowledge base,
Intentional exploitation of this condition can cause denial of
service in all authoritative and recursive nameservers running
affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0
through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1
(inclusive)]. Additionally, other services which run on the
same physical machine as an affected BIND server could be
compromised as well through exhaustion of system memory.
Programs using the libdns library from affected versions of BIND
are also potentially vulnerable to exploitation of this bug if
they can be forced to accept input which triggers the condition.
Tools which are linked against libdns (e.g. dig) should also be
rebuilt or upgraded, even if named is not being used
CVSS Score: 7.8
CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
For more information on the Common Vulnerability Scoring System
and to obtain your specific environmental score please visit:
Patched versions are available (see the "Solutions:" section
below) or operators can prevent exploitation of this bug in any
affected version of BIND 9 by compiling without regular expression
Compilation without regular expression support:
BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1),
and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely
safe from this bug by re-compiling the source with regular
expression support disabled. In order to disable inclusion
of regular expression support:
- After configuring BIND features as desired using the configure
script in the top level source directory, manually edit the
"config.h" header file that was produced by the configure
- Locate the line that reads "#define HAVE_REGEX_H 1" and
replace the contents of that line with "#undef
- Run "make clean" to remove any previously compiled object
files from the BIND 9 source directory, then proceed to
make and install BIND normally.
No known active exploits.
Compile BIND 9 without regular expression support as described
in the "Workarounds" section of this advisory or upgrade to the
patched release most closely related to your current version of
BIND. These can be downloaded fromhttp://www.isc.org/downloads/all.
BIND 9 version 9.8.4-P2
BIND 9 version 9.9.2-P2
ISC would like to thank Matthew Horsfall of Dyn, Inc. for
discovering this bug and bringing it to our attention.
Document Revision History:
1.0 Phase One - Advance Notification, 11 March 2013
1.1 Phase Two & Three, 25 March 2013
2.0 Notification to Public (Phase Four), 26 March 2013
See our BIND Security Matrix for a complete listing of Security
Vulnerabilities and versions affected.
If you'd like more information on our product support please visit
Do you still have questions? Questions regarding this advisory
should go email@example.com
ISC patches only currently supported versions. When possible we
indicate EOL versions affected.
ISC Security Vulnerability Disclosure Policy: Details of our current
security advisory policy and practice can be found here:
This Knowledge Base articlehttps://kb.isc.org/article/AA-00871 is
the complete and official security advisory document.
Internet Systems Consortium (ISC) is providing this notice on
an "AS IS" basis. No warranty or guarantee of any kind is expressed
in this notice and none should be implied. ISC expressly excludes
and disclaims any warranties regarding this notice or materials
referred to in this notice, including, without limitation, any
implied warranty of merchantability, fitness for a particular
purpose, absence of hidden defects, or of non-infringement. Your
use or reliance on this notice or materials referred to in this
notice is at your own risk. ISC may change this notice at any
time. A stand-alone copy or paraphrase of the text of this
document that omits the document URL is an uncontrolled copy.
Uncontrolled copies may lack important information, be out of
date, or contain factual errors.
(c) 2001-2013 Internet Systems Consortium
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----