FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

bind9 -- denial of service

Affected packages
bind9 = 9.3.0
5.3 <= FreeBSD < 5.3_16

Details

VuXML ID 30e4ed7b-1ca6-11da-bc01-000e0c2e438a
Discovery 2005-01-25
Entry 2005-09-03

Problem description

A DNSSEC-related validator function in BIND 9.3.0 contains an inappropriate internal consistency test. When this test is triggered, named(8) will exit.

Impact

On systems with DNSSEC enabled, a remote attacker may be able to inject a specially crafted packet that will cause the internal consistency test to trigger, and named(8) to terminate. As a result, the name server will no longer be available to service requests.

Workaround

DNSSEC is not enabled by default, and the "dnssec-enable" directive is not normally present. If DNSSEC has been enabled, disable it by changing the "dnssec-enable" directive to "dnssec-enable no;" in the named.conf(5) configuration file.

References

CERT/CC Vulnerability Note 938617
CVE Name CVE-2005-0034
URL http://www.isc.org/sw/bind/bind9.3.php#security
URL http://www.uniras.gov.uk/niscc/docs/al-20050125-00060.html?lang=en