-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
A Problem with Trust Anchor Management Can Cause named to Crash
19 February 2015
AusCERT Security Bulletin Summary
Publisher: Internet Systems Consortium
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
CVE Names: CVE-2015-1349
- --------------------------BEGIN INCLUDED TEXT--------------------
A Problem with Trust Anchor Management Can Cause named to Crash
When configured to perform DNSSEC validation, named can crash when
encountering a rare set of conditions in the managed trust anchors.
Document Version: 2.0
Posting date: 18 Feb 2015
Program Impacted: BIND
BIND 9.7.0 -> BIND 9.10.1-P1. Also, b1 and rc1 development versions
of the upcoming BIND maintenance releases (9.9.7b1 & rc1, 9.10.2b1 &
rc1) are affected.
BIND versions 9.9.6, 9.9.6-P1, 9.10.1, and 9.10.1-P1 will terminate
consistently with an assertion in zone.c, but previous affected
versions may exhibit unpredictable behavior, including server
crashes, due to the use of an improperly initialized variable.
Severity: High, but requires specific conditions.
Exploitable: Remotely, under limited circumstances.
BIND servers which are configured to perform DNSSEC validation and
which are using managed-keys (which occurs implicitly when using
"dnssec-validation auto;" or "dnssec-lookaside auto;") may terminate
with an assertion failure when encountering all of the following
conditions in a managed trust anchor:
* a key which was previously trusted is now flagged as revoked;
* there are no other trusted keys available;
* there is a standby key, but it is not trusted yet
This situation results in termination of the named process and denial
of service to clients, and can occur in two circumstances:
* during an improperly-managed key rollover for one of the managed
trust anchors (e.g. during a botched root key rollover), or
* when deliberately triggered by an attacker, under specific and
limited circumstances. ISC has demonstrated a proof-of-concept of
this attack; however, the complexity of the attack is very high
unless the attacker has a specific network relationship to the
BIND server which is targeted
Only servers which are performing DNSSEC validation and which are
using managed-keys can be affected by this vulnerability.
Recursive validating resolvers are at the greatest risk, but
authoritative servers could also be vulnerable if they are performing
DNSSEC validation and using managed-keys.
Servers which are affected may terminate with an assertion, causing
denial of service to all clients.
CVSS Score: 5.4
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:C)
For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
For a workaround, do not use "auto" for the dnssec-validation or
dnssec-lookaside options and do not configure a managed-keys
statement. In order to do DNSSEC validation with this workaround one
would have to configure an explicit trusted-keys statement with the
No known active exploits.
Upgrade to the patched release most closely related to your current
version of BIND. These can be downloaded from
The issue is also fixed in the BIND development releases:
ISC would like to thank Jan-Piet Mens for reporting this issue.
Document Revision History:
1.0 Advance Notification, 11 February 2015
2.0 Updated Workaround section, Public Disclosure, 18 February 2015
See our BIND9 Security Vulnerability Matrix at
https://kb.isc.org/article/AA-00913 for a complete listing of
Security Vulnerabilities and versions affected.
If you'd like more information on ISC Subscription Support and
Advance Security Notifications, please visit
Do you still have questions? Questions regarding this advisory
should go to email@example.com.
To report a new issue, please encrypt your message using
firstname.lastname@example.org's PGP key which can be found here:
If you are unable to use encrypted email, you may also report new
issues at: https://www.isc.org/community/report-bug/.
ISC patches only currently supported versions. When possible we
indicate EOL versions affected. (For current information on which
versions are actively supported, please see
ISC Security Vulnerability Disclosure Policy:
Details of our current security advisory policy and practice can be
This Knowledge Base article https://kb.isc.org/article/AA-01235 is the
complete and official security advisory document.
Internet Systems Consortium (ISC) is providing this notice on an "AS
IS" basis. No warranty or guarantee of any kind is expressed in this
notice and none should be implied. ISC expressly excludes and
disclaims any warranties regarding this notice or materials referred
to in this notice, including, without limitation, any implied
warranty of merchantability, fitness for a particular purpose,
absence of hidden defects, or of non-infringement. Your use or
reliance on this notice or materials referred to in this notice is at
your own risk. ISC may change this notice at any time. A stand-alone
copy or paraphrase of the text of this document that omits the
document URL is an uncontrolled copy. Uncontrolled copies may lack
important information, be out of date, or contain factual errors.
(c) 2001-2015 Internet Systems Consortium
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----