Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

      A Problem with Trust Anchor Management Can Cause named to Crash
                             19 February 2015


        AusCERT Security Bulletin Summary

Product:           BIND
Publisher:         Internet Systems Consortium
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-1349  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

A Problem with Trust Anchor Management Can Cause named to Crash

When configured to perform DNSSEC validation, named can crash when
encountering a rare set of conditions in the managed trust anchors.

CVE:               CVE-2015-1349
Document Version:  2.0
Posting date:      18 Feb 2015
Program Impacted:  BIND
Versions affected: 

   BIND 9.7.0 -> BIND 9.10.1-P1.  Also, b1 and rc1 development versions
   of the upcoming BIND maintenance releases (9.9.7b1 & rc1, 9.10.2b1 &
   rc1) are affected.

   BIND versions 9.9.6, 9.9.6-P1, 9.10.1, and 9.10.1-P1 will terminate
   consistently with an assertion in zone.c, but previous affected
   versions may exhibit unpredictable behavior, including server
   crashes, due to the use of an improperly initialized variable.

Severity:    High, but requires specific conditions.
Exploitable: Remotely, under limited circumstances.


   BIND servers which are configured to perform DNSSEC validation and
   which are using managed-keys (which occurs implicitly when using
   "dnssec-validation auto;" or "dnssec-lookaside auto;") may terminate
   with an assertion failure when encountering all of the following
   conditions in a managed trust anchor:

    * a key which was previously trusted is now flagged as revoked;
    * there are no other trusted keys available;
    * there is a standby key, but it is not trusted yet

   This situation results in termination of the named process and denial
   of service to clients, and can occur in two circumstances:

    * during an improperly-managed key rollover for one of the managed
      trust anchors (e.g. during a botched root key rollover), or
    * when deliberately triggered by an attacker, under specific and
      limited circumstances. ISC has demonstrated a proof-of-concept of
      this attack; however, the complexity of the attack is very high
      unless the attacker has a specific network relationship to the
      BIND server which is targeted


   Only servers which are performing DNSSEC validation and which are
   using managed-keys can be affected by this vulnerability.

   Recursive validating resolvers are at the greatest risk, but
   authoritative servers could also be vulnerable if they are performing
   DNSSEC validation and using managed-keys.

   Servers which are affected may terminate with an assertion, causing
   denial of service to all clients.

CVSS Score:  5.4
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:C)

   For more information on the Common Vulnerability Scoring System and
   to obtain your specific environmental score please visit:


   For a workaround, do not use "auto" for the dnssec-validation or
   dnssec-lookaside options and do not configure a managed-keys
   statement.  In order to do DNSSEC validation with this workaround one
   would have to configure an explicit trusted-keys statement with the
   appropriate keys.

Active exploits:

   No known active exploits.


   Upgrade to the patched release most closely related to your current
   version of BIND. These can be downloaded from

    BIND 9.9.6-P2
    BIND 9.10.1-P2

   The issue is also fixed in the BIND development releases:

    BIND 9.9.7rc2
    BIND 9.10.2rc2


   ISC would like to thank Jan-Piet Mens for reporting this issue.

Document Revision History:

1.0 Advance Notification, 11 February 2015
2.0 Updated Workaround section, Public Disclosure, 18 February 2015

Related Documents:

   See our BIND9 Security Vulnerability Matrix at
   https://kb.isc.org/article/AA-00913 for a complete listing of
   Security Vulnerabilities and versions affected. 

   If you'd like more information on ISC Subscription Support and
   Advance Security Notifications, please visit

   Do you still have questions?  Questions regarding this advisory
   should go to security-officer@isc.org.
   To report a new issue, please encrypt your message using
   security-officer@isc.org's PGP key which can be found here:
   If you are unable to use encrypted email, you may also report new
   issues at: https://www.isc.org/community/report-bug/.


   ISC patches only currently supported versions. When possible we
   indicate EOL versions affected.  (For current information on which
   versions are actively supported, please see

ISC Security Vulnerability Disclosure Policy:

   Details of our current security advisory policy and practice can be
   found here:

This Knowledge Base article https://kb.isc.org/article/AA-01235 is the
complete and official security advisory document. 

Legal Disclaimer:

   Internet Systems Consortium (ISC) is providing this notice on an "AS
   IS" basis. No warranty or guarantee of any kind is expressed in this
   notice and none should be implied. ISC expressly excludes and
   disclaims any warranties regarding this notice or materials referred
   to in this notice, including, without limitation, any implied
   warranty of merchantability, fitness for a particular purpose,
   absence of hidden defects, or of non-infringement. Your use or
   reliance on this notice or materials referred to in this notice is at
   your own risk. ISC may change this notice at any time.  A stand-alone
   copy or paraphrase of the text of this document that omits the
   document URL is an uncontrolled copy.  Uncontrolled copies may lack
   important information, be out of date, or contain factual errors.

(c) 2001-2015 Internet Systems Consortium

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967