你在这里

Infoblox BIND 9 脆弱性通告

CVE-2011-2464: 远程攻击数据包导致递归权威查询服务器拒绝服务
CVE-2011-2465: 远程攻击导致某些RPZ配置的服务器宕机

2011年7月5日,ISC组织公布了BIND 9 脆弱性:CVE-2011-2464 与 CVE-2011-2465。仅CVE-2011-2464对Infoblox NIOS有影响,具体细节以及升级补丁在以下详细叙述

CVE-2011-2464:

攻击者可以在远程发送一个特殊构造的数据包来使受到影响的 BIND 的 "named”进程退出,从而导致 DN S服务中断。权威服务器或者递归查询服务器都受此弱地的影响。导致此弱点代码位置使得修改 named.conf 文件的ACL 与在编译与运行时关闭某些特性都无法避免此影响。

远程攻击者需要能够直接发送破坏数据包到受影响的 BIND 版本。攻击者也可以通过能够有直接与名称服务器通讯的计算机做跳板来进行攻击。

受影响的 NIOS 版本:

  • 6.1.x
  • 6.0.x
  • 5.1r4-x
  • 5.1r3-x
  • 5.1r2-x


CVE-2011-2465:

此弱点仅对配置了递归查询并且使用了特定正则表达式做RPZ配置的名称服务器,RPZ 是 Reponse Policy Zones (响应策略区域)的简称,是 ISC 开发的一种技术,提供递归查询名称服务器一个简单途径达到阻止某些域名的查询或者将查询结果到指定地方。RPZ 使得 DNS 解析有很大的弹性与细微的调整幅度。需要查看具体信息请到以下网址查看 RPZ 信息:https://www.isc.org/software/rpz

NIOS 不受 CVE-2011-246 的影响

对于 CVE-2011-2464 Infoblox 已经发布了相关的补丁,以下版本已经包含补丁可以尽快部署: 6.1.3, 6.0.7, 5.1r4-4, or 5.1r3-10

部署 NIOS 6.1/6.0 的客户:
vNIOS/NIOS 6.1.3 包含 vNIOS/NIOS 6.1.x 的补丁
vNIOS/NIOS 6.0.7 包含 vNIOS/NIOS 6.0.x 的补丁

使用 NIOS 5.1/5.0 的客户:
vNIOS/NIOS 5.1r4-4 包含 vNIOS/NIOS 5.1r4-x 的补丁
vNIOS/NIOS 5.1r3-10 包含 vNIOS/NIOS 5.1r3-x 的补丁

Infoblox推荐用户使用以下措施:

部署 vNIOS/NIOS 5.1r2-0 之前版本的用户不受 CVE-2011-2464 影响.
Infoblox 推荐所有部署 vNIOS/NIOS 6.0/6.1的用户升级到 vNIOS/NIOS 6.1.3
Infoblox 推荐所有部署 vNIOS/NIOS 5.1r2以上 (含) 的用户升级到 vNIOS/NIOS 5.1r4-4

以下是英文原文:

CVE-2011-2464: Remote packet denial of service against authoritative and recursive servers
CVE-2011-2465: Remote crash with certain RPZ configurations

On July 5, 2011 the Internet Systems Consortium (ISC) announced vulnerabilities in BIND 9, CVE-2011-2464 and CVE-2011-2465. Infoblox NIOS is only vulnerable to CVE-2011-2464. Details regarding the vulnerabilities are provided below including the availability of patches.

CVE-2011-2464:

A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet. This defect affects both recursive and authoritative servers. The code location of the defect makes it impossible to protect BIND using ACLs configured within named.conf or by disabling any features at compile-time or run-time.

A remote attacker would need to be able to send a specially crafted packet directly to a server running a vulnerable version of BIND. There is also the potential for an indirect attack via malware that is inadvertently installed and run, where infected machines have direct access to an organization's nameservers.

Affects NIOS versions:

  • 6.1.x
  • 6.0.x
  • 5.1r4-x
  • 5.1r3-x
  • 5.1r2-x


If you are operating a release listed above, you must upgrade to one of the available patches that address CVE-2011-2464. If you are not running one of the versions listed above, you are not affected by CVE-2011-2464 and do not need to upgrade.

CVE-2011-2465:

Two defects were discovered in ISC's BIND 9 code. These defects only affect BIND 9 servers which have recursion enabled and which use a specific feature of the software known as Response Policy Zones (RPZ) and where the RPZ zone contains a specific rule/action pattern.

RPZ is a technology developed by ISC which provides DNS recursive name server operators with a simple way to block certain queries which they wish to or legally must prevent, or to redirect them to an alternate location. RPZ allows a great deal of flexibility and fine-grained selection of resolver policy. For more information, please see https://www.isc.org/software/rpz .

No shipping version of NIOS is affected by CVE-2011-2465.

Infoblox has released patches to address CVE-2011-2464. The following NIOS updates should be deployed as soon as possible: 6.1.3, 6.0.7, 5.1r4-4, or 5.1r3-10.

For customers running NIOS 6.1/6.0:

vNIOS/NIOS 6.1.3 updates all previous versions of vNIOS/NIOS 6.1.x
vNIOS/NIOS 6.0.7 updates all previous versions of vNIOS/NIOS 6.0.x
For customers running NIOS 5.1/5.0:

vNIOS/NIOS 5.1r4-4 updates all previous versions of vNIOS/NIOS 5.1r4-x
vNIOS/NIOS 5.1r3-10 updates all previous versions of vNIOS/NIOS 5.1r3-x

Recommendations:

Customers operating software versions prior to vNIOS/NIOS 5.1r2-0 are not affected by CVE-2011-2464.
Infoblox recommends all vNIOS/NIOS 6.0/6.1 customers upgrade to vNIOS/NIOS 6.1.3
Infoblox recommends all vNIOS/NIOS 5.1r2 (and greater) customers upgrade to vNIOS/NIOS 5.1r4-4