Short Name |
DNS:BIND-RRSIG-QUERY-DOS |
---|---|
Severity |
Major |
Recommended |
No |
Recommended Action |
Drop |
Category |
DNS |
Keywords |
ISC BIND RRSIG Query With RPZ Denial of Service |
Release Date |
2011/06/02 |
Update Number |
1930 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
A denial of service vulnerability exists in ISC BIND. The vulnerability is caused by an assertion failure when processing RRSIG queries if Response Policy Zones (RPZ) are configured to force a specific RRSet for some name. A remote attacker may exploit this vulnerability by sending RRSIG requests to the vulnerable server. Successful exploitation would result in an assertion failure in a server resulting in a server crash, leading to a denial of service condition.
ISC BIND is prone to a remote denial-of-service vulnerability because the software fails to properly handle certain record types. An attacker can exploit this issue to cause the application process to crash, denying service to legitimate users. NOTE: This issue only affects BIND users who use the RPZ feature configured for RRset replacement. ISC BIND version 9.8.0 is vulnerable.