-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Wed Aug 5 09:40:52 CDT 2009 The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/bind_advisory.asc or ftp://aix.software.ibm.com/aix/efixes/security/bind_advisory.asc VULNERABILITY SUMMARY VULNERABILITY: AIX named DNS BIND dynamic update denial of service PLATFORMS: AIX 5.3, 6.1 SOLUTION: Apply the fix as described below. THREAT: A remote user can create a denial of service on AIX DNS servers running BIND. CERT VU Number: VU#725188 CVE Number: CVE-2009-0696 Reboot required? NO Workarounds? NO Protected by FPM? NO Protected by SED? NO DETAILED INFORMATION I. DESCRIPTION AIX 'named' is an implementation of BIND (Berkeley Internet Name Domain) providing server functionality for the Domain Name System (DNS) Protocol. AIX currently ships and supports three versions of BIND: 4, 8, and 9. There is an error in the handling of dynamic update messages in BIND 9. A crafted update packet from a remote user can cause a master server to assert and exit. Please see the following for more information: https://www.isc.org/node/474 The successful exploitation of this vulnerability allows a remote, unauthenticated user to make a master DNS server assert and exit. The following command is vulnerable: /usr/sbin/named9 II. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L bos.net.tcp.server The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level --------------------------------------------------- bos.net.tcp.server 5.3.7.0 5.3.7.7 bos.net.tcp.server 5.3.8.0 5.3.8.5 bos.net.tcp.server 5.3.9.0 5.3.9.1 bos.net.tcp.server 5.3.10.0 5.3.10.0 bos.net.tcp.server 6.1.0.0 6.1.0.8 bos.net.tcp.server 6.1.1.0 6.1.1.5 bos.net.tcp.server 6.1.2.0 6.1.2.2 bos.net.tcp.server 6.1.3.0 6.1.3.0 III. SOLUTIONS A. APARS IBM has assigned the following APARs to this problem: AIX Level APAR number Availability ---------------------------------------------------- 5.3.7 IZ56311 11/11/2009 5.3.8 IZ56312 11/11/2009 5.3.9 IZ56313 11/11/2009 5.3.10 IZ56314 11/11/2009 6.1.0 IZ56315 9/23/2009 6.1.1 IZ56316 9/23/2009 6.1.2 IZ56317 9/23/2009 6.1.3 IZ56318 9/23/2009 Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IZ56311 http://www.ibm.com/support/docview.wss?uid=isg1IZ56312 http://www.ibm.com/support/docview.wss?uid=isg1IZ56313 http://www.ibm.com/support/docview.wss?uid=isg1IZ56314 http://www.ibm.com/support/docview.wss?uid=isg1IZ56315 http://www.ibm.com/support/docview.wss?uid=isg1IZ56316 http://www.ibm.com/support/docview.wss?uid=isg1IZ56317 http://www.ibm.com/support/docview.wss?uid=isg1IZ56318 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are now available. The fixes can be downloaded from: http://aix.software.ibm.com/aix/efixes/security/bind_fix.tar ftp://aix.software.ibm.com/aix/efixes/security/bind_fix.tar The links above are to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. AIX Level Fix ---------------------------------------------------- 5.3.7 IZ56311_07.090804.epkg.Z 5.3.8 IZ56312_08.090804.epkg.Z 5.3.9 IZ56313_09.090804.epkg.Z 5.3.10 IZ56314_10.090804.epkg.Z 6.1.0 IZ56315_00.090804.epkg.Z 6.1.1 IZ56316_01.090804.epkg.Z 6.1.2 IZ56317_02.090804.epkg.Z 6.1.3 IZ56318_03.090804.epkg.Z To extract the fixes from the tar file: tar xvf bind_fix.tar cd bind_fix Verify you have retrieved the fixes intact: The checksums below were generated using the "csum -h SHA1" (sha1sum) commands and are as follows: csum -h SHA1 (sha1sum) filename ------------------------------------------------------------------ 3cd61d918a55f1ca90ccf177afb63bff3448eb84 IZ56311_07.090804.epkg.Z 01b6e1853a7dab425d439215f4a57bd281e7429c IZ56312_08.090804.epkg.Z 486b25f723071d474670a09d36109719b2ff0438 IZ56313_09.090804.epkg.Z 7c5e0bcb37697ae2f8ebf53cce1ea9af51856659 IZ56314_10.090804.epkg.Z 8841942df04ff441ae5bd79e140b203d8c2000be IZ56315_00.090804.epkg.Z a1ca4ca9b7c9e1d8bbe68c75eebae56b0b8d4953 IZ56316_01.090804.epkg.Z 57dda1a9ed719fc36f8f09e34b93940f188a6482 IZ56317_02.090804.epkg.Z 3710d457c0304e99b1b3ed70fd120b6247cc45c2 IZ56318_03.090804.epkg.Z To verify the sums, use the text of this advisory as input to csum or sha1sum. For example: csum -h SHA1 -i Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security and describe the discrepancy at the following address: security-alert@austin.ibm.com C. INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; thus, IBM does not warrant the fully correct functionality of an interim fix. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. IMPORTANT: The fix will not take affect until any running BIND servers have been stopped and restarted with the following commands: stopsrc -s named startsrc -s named IV. WORKAROUNDS There are no workarounds. V. OBTAINING FIXES AIX security fixes can be downloaded from: http://aix.software.ibm.com/aix/efixes/security or ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VI. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www.ibm.com/systems/support and click on the "My notifications" link. To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To obtain the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt B. Download the key from a PGP Public Key Server. The key ID is: 0xADA6EB4D Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. VII. ACKNOWLEDGMENTS This vulnerability was reported by Matthias Urlichs, Tom Daly, and Internet Systems Consortium. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFKeaWfP9Qud62m600RAs9KAJwMwujmkWOxKi8ORk2BED4OVQJd1gCeL3Cr vtuSdf6205YFeI/2qtQlPhI= =4muv -----END PGP SIGNATURE-----