(I) Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure in BIND9

On July 24, Beijing time, ISC announced a high-risk bug in the BIND 9 software on its official website. Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure in BIND9.

1) Bug analysis

BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failur.

This bug cannot be encountered unless your server is doing DNSSEC validation.

2) Solution

Upgrade to the patched release most closely related to your current version of BIND.

BIND 9.9.1-P2

BIND 9.8.3-P2

BIND 9.7.6-P2

BIND 9.6-ESV-R7-P2

Please Note: Versions of BIND 9.4 and 9.5 are also affected, but these branches are beyond their "end of life" (EOL) and no longer receive testing or security fixes from ISC.

For more infotmation: https://kb.isc.org/article/AA-00729

 (II) High TCP query load can trigger a memory leak in BIND9

On July 24, Beijing time, ISC announced a high-risk bug in the BIND 9 software on its official website. Under heavy incoming TCP query loads named experiences a memory leak which may lead to significant reductions in query response performance. Additionally, this can trigger an automatic shutdown if named is running on a system that kills out-of-memory processes.

1) Bug analysis

BIND 9 tracks incoming queries using a structure called "ns_client". When a query has been answered and the ns_client structure is no longer needed, it is stored on a queue of inactive ns_clients. When a new ns_client is needed to service a new query, the queue is checked to see if any inactive ns_clients are available before a new one is allocated; this speeds up the system by avoiding unnecessary memory allocations and de-allocations. However, when the queue is empty, and one thread inserts an ns_client into it while another thread attempts to remove it, a race bug could cause the ns_client to be lost; since the queue would appear empty in that case, a new ns_client would be allocated from memory. This condition occurred very infrequently with UDP queries but much more frequently under high TCP query loads; over time, the number of allocated but misplaced ns_client objects could grow large enough to affect system performance, and could trigger an automatic shutdown of the named process on systems with an "OOM killer" (out of memory killer) mechanism.

2) Solution

The versions of the BIND9 software impacted by this bug include 9.9.0→9.9.1-P1

Therefore, Upgrade to BIND 9 version 9.9.1-P2.

BIND 9.9.1-P2 is available from www.isc.org/downloads/all.

For more information, please visit: https://kb.isc.org/article/AA-00730

 (III) An Error in the Handling of Malformed Client Identifiers can Cause a Denial-of-Service Condition in Affected Servers

On July 24, Beijing time, ISC announced a high-risk bug in the ISC DHCP software on its official website. An error in the handling of malformed client identifiers can cause a DHCP server running affected versions (see "Impact") to enter a state where further client requests are not processed and the server process loops endlessly, consuming all available CPU cycles.

1) Bug analysis

Under normal circumstances this condition should not be triggered, but a non-conforming or malicious client could deliberately trigger it in a vulnerable server. In order to exploit this condition an attacker must be able to send requests to the DHCP server. NOTE: ISC DHCP 3.0.x and ISC DHCP 4.0.x are EOL and have not been tested for this vulnerability. Versions of ISC DHCP that are vulnerable to CVE-2010-2156 (including 4.1.0 through 4.1.1-P1) can be expected to terminate unexpectedly instead of looping endlessly.

2) Solution

Upgrade affected systems to DHCP 4.1-ESV-R6 or DHCP 4.2.4-P1

DHCP 4.2.4-P1 is available from www.isc.org/downloads/all

DHCP 4.1-ESV-R6 is available from www.isc.org/downloads/all

For more information, please visit: https://kb.isc.org/article/AA-00712

 (IV) An Error in the Handling of an Unexpected Client Identifiers can Cause Server Crash When Serving DHCPv6

On July 24, Beijing time, ISC announced a high-risk bug in the ISC DHCP software on its official website. An error in the handling of an unexpected client identifiers can cause a server crash when serving DHCPv6.

1) Bug analysis

An unexpected client identifier parameter can cause the ISC DHCP daemon to segmentation fault when running in DHCPv6 mode, resulting in a denial of service to further client requests.

In order to exploit this condition, an attacker must be able to send requests to the DHCP server.

2) Solution

DHCP versions:4.2.0→4.2.4 are impacted.

Therefore, please upgrade affected systems to DHCP 4.2.4-P1

DHCP 4.2.4-P1 is available from www.isc.org/downloads/all

For more information, please visit: https://kb.isc.org/article/AA-00714

 (V) Two Memory Leaks Found in ISC DHCP

On July 24, Beijing time, ISC announced medium-risk bugs in the DHCP software on its official website. Both bugs can cause memory leaks when the DHCP server runs in DHCPv6 mode, and can ultimately cause complete consumption and crashing of the server memory.

1) Bug analysis

ISC has discovered and fixed two memory leaks in the DHCP code. One of the leaks only affects servers running in DHCPv6 mode. The other is known to affect a server running in DHCPv6 mode but could potentially occur on servers running in DHCPv4 mode as well. In both cases the server can leak a small amount of memory while processing messages. The amount leaked per iteration is small and the leak will not cause problems in many cases. However on a server that is run for a long period without re-starting or a server handling an extraordinary amount of traffic from the clients the leak could consume all memory available to the DHCP server process, preventing further operation by the DHCP server process and potentially interfering with other services hosted on the same server hardware.

Therefore, the bugs only cause bad influence under special conditions, and DHCP servers re-starting regularly or irregularly will not be affected.

2) Solution

Upgrade to ISC DHCP 4.1-ESV-R6 or 4.2.4-P1

Download 4.2.4-P1 or 4.1-ESV-R6 from www.isc.org/downloads/all.