Internet Systems Consortium BIND Vulnerabilities

The Internet Systems Consortium (ISC) has released three advisories to address multiple vulnerabilities affecting BIND.

The first advisory, CVE-2010-3613, addresses a vulnerability in BIND versions 9.6.2 to 9.6.2-P2, 9.6-ESV to 9.6-ESV-R2, and 9.70 to 9.7.2-P2. This vulnerability exists when cache incorrectly allows an ncache entry and a rrsig for the same type. Exploitation of this vulnerability may allow a remote attacker to cause a denial-of-service condition. Additional information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#706148.

The second advisory, CVE-2010-3614, addresses a vulnerability in BIND versions 9.0.x to 9.7.2-P2, 9.4-ESV to 9.4-ESV-R3, and 9.6-ESV to 9.6-ESV-R2. This vulnerability exists when “named” incorrectly marks zone data as insecure when the zone being queried is undergoing a key algorithm rollover. Exploitation of this vulnerability may allow answers to be incorrectly marked as insecure. Additional information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#837744.

The third advisory, CVE-2010-3615, addresses a vulnerability in BIND version 9.7.2-P2. This vulnerability is due to the incorrect processing of “allow-query”. Exploitation of this vulnerability may allow a remote attacker to bypass access restrictions. Additional information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#510208.

US-CERT encourages users and administrators to review the advisories listed above and apply any necessary updates to help mitigate the risks. Because BIND is often packaged in larger third-party applications or operating system distributions, users and administrators should check with their software vendors for updated versions.