NSD Announcement

NLnet Labs, NSD development team.
Authored July, 2012
Updated and released July 27, 2012

Summary

Tom Hendrikx, who is NSD package maintainer for Gentoo, reported to NLnet Labs that there is a denial of service vulnerability when using the new feature 'per zone statistics'. The problem affects NSD 3.2.11 and 3.2.12. This is issue CVE-2012-2979 VU#517036.

It is possible to crash (SIGSEGV) a NSD child server process by sending it a DNS packet from any host on the internet and the per zone stats build option is enabled. A crashed child process will automatically be restarted by the parent process, but an attacker may keep the NSD server occupied restarting child processes by sending it a stream of such packets effectively preventing the NSD server to serve.

Solution

To resolve the issue, update your systems to NSD version 3.2.13 or higher. If you insist in running an older version of NSD, we have published patches. The patch makes clear what you should change in the source code, if you run a different or modified version of NSD.

Download NSD 3.2.13 (SHA1 checksum: 2cb44f75e9686fd73c7ee9765857a36a8fe5bca9 )
Vulnerability patch (SHA1 checksum: aa845b1ea27090469ebc96a19d49e6afcd1b1969 )

Acknowledgements

We acknowledge and thank Tom Hendrikx for finding and reporting this vulnerability.

Summary

Marek Vavrusa and Lubos Slovak from CZ.NIC Labs have reported to NLnet Labs that there is a denial of service vulnerability from non-standard DNS packet from any host on the internet for NSD. The problem affects NSD 3 and NSD 4 (development version), and is fixed in NSD 3.2.12. This is issue CVE-2012-2978 VU#624931.

It is possible to crash (SIGSEGV) a NSD child server process by sending it a non-standard DNS packet from any host on the internet. A crashed child process will automatically be restarted by the parent process, but an attacker may keep the NSD server occupied restarting child processes by sending it a stream of such packets effectively preventing the NSD server to serve.

Solution

To resolve the issue, update your systems to NSD version 3.2.12 or higher. If you insist in running an older version of NSD, we have published patches. The patch makes clear what you should change in the source code, if you run a different or modified version of NSD.

Download NSD 3.2.12 (SHA1 checksum: dd8606a05525f6a493dfacb7ddfa7e1fa3c6a85b )
Vulnerability patch (SHA1 checksum: fb67a3096e573fa9cce6001098423568ad783e54 )

Acknowledgements

We acknowledge and thank Marek Vavrusa and Lubos Slovak from CZ.NIC Labs for finding and reporting this vulnerability.

NLnet Labs, NSD development team.
Authored May, 2009
Updated and released May 19, 2009

Summary

On May 6 2009, Ilja van Sprundel of IOActive has reported to NLnet Labs a one-byte buffer overflow in NSD. The problem affects all versions 2.0.0 to 3.2.1. The bug allows a carefully crafted exploit to bring down your DNS server. It is highly unlikely that this specific one byte overflow can lead to other (system) exploits.

Solution

To resolve the issue, update your systems to NSD version 3.2.2 or higher. If you insist in running an older version of NSD, we have published vulnerability patches for versions 3.2.1 and 2.3.7. The patch makes clear what you should change in the source code, if you run a different or modified version of NSD.

Download NSD 3.2.2 (SHA1 checksum: 23fc0be5d447ea852acd49f64743c96403a091fa )
Vulnerability patch for NSD 3.2.1 (SHA1 checksum: 20cb9fc73fae951a9cc25822c48b17ca1d956119 )
Vulnerability patch for NSD 2.3.7 (SHA1 checksum: 94887d212621b458a86ad5b086eec9240477 )

Acknowledgements

We acknowledge and thank Ilja van Sprundel of IOActive for finding and reporting this vulnerability.