Think you have a false positive on this rule?

Sid 1-44879

Message

SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt

Summary

This event is generated when an attempt is made to exploit a known vulnerability in bind.

Impact

Denial of Service. Information disclosure. Loss of integrity.

CVE-2013-4854:

CVSS base score 7.8

CVSS impact score 6.9

CVSS exploitability score 10.0

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact COMPLETE

Detailed information

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and 9.9.4b1, and DNSco BIND 9.9.3-S1 before 9.9.3-S1-P1 and 9.9.4-S1b1, allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query with a malformed RDATA section that is not properly handled during construction of a log message, as exploited in the wild in July 2013. CVE-2013-4854: The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and 9.9.4b1, and DNSco BIND 9.9.3-S1 before 9.9.3-S1-P1 and 9.9.4-S1b1, allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query with a malformed RDATA section that is not properly handled during construction of a log message, as exploited in the wild in July 2013.

Affected systems

  • isc bind 9.7.0
  • isc bind 9.7.0a1
  • isc bind 9.7.0a2
  • isc bind 9.7.0a3
  • isc bind 9.7.0b1
  • isc bind 9.7.0b2
  • isc bind 9.7.0b3
  • isc bind 9.7.1
  • isc bind 9.7.1b1
  • isc bind 9.7.2
  • isc bind 9.7.3
  • isc bind 9.7.4
  • isc bind 9.7.4b1
  • isc bind 9.7.5
  • isc bind 9.7.6
  • isc bind 9.7.7
  • isc bind 9.8.0
  • isc bind 9.8.1
  • isc bind 9.8.2
  • isc bind 9.8.3
  • isc bind 9.8.4
  • isc bind 9.8.5
  • isc bind 9.8.6
  • isc bind 9.9.0
  • isc bind 9.9.1
  • isc bind 9.9.2
  • isc bind 9.9.3
  • isc dnsco_bind 9.9.3
  • isc dnsco_bind 9.9.4
  • suse suselinuxenterprisesoftwaredevelopment_kit 11.0
  • fedoraproject fedora 18
  • fedoraproject fedora 19
  • freebsd freebsd 8.0
  • freebsd freebsd 8.1
  • freebsd freebsd 8.2
  • freebsd freebsd 8.3
  • freebsd freebsd 8.4
  • freebsd freebsd 9.0
  • freebsd freebsd 9.1
  • freebsd freebsd 9.2
  • hp hp-ux b.11.31
  • mandriva business_server 1.0
  • mandriva enterprise_server 5.0
  • novell opensuse 11.4
  • novell suse_linux 11
  • redhat enterprise_linux 5
  • redhat enterprise_linux 6
  • slackware slackware_linux 12.1
  • slackware slackware_linux 12.2
  • slackware slackware_linux 13.0
  • slackware slackware_linux 13.1
  • slackware slackware_linux 13.37

Ease of attack

Medium

False positives

None Known

False negatives

None Known

Corrective action

Upgrade to the latest non-affected version of the software.

Apply the appropriate vendor supplied patches.

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • kb.isc.org/article/AA-01015
  • kb.isc.org/article/AA-01016