[SECURITY] Bind DoD vulnerabilty - Update Plesk 9.5 & 10 for Windows

wstuermer

Blog Benutzer
Parallels Plesk Panel

BIND has announced a vulnerability that can result in a denial of service (server crash) caused by receipt of a specific remote dynamic update message.

Please be aware that this vulnerability will affect all servers that have Bind 9.7.1 or 9.7.2 installed. Parallels Plesk Panel 9.5 for windows and Parallels Plesk Panel 10 for windows ships with this version of bind and these servers should be upgraded to Bind 9.7.3 immediately.

The vulnerability is described as follows:

https://www.isc.org/software/bind/advisories/cve-2009-0696

"Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert.

This vulnerability affects all servers that are masters for one or more zones – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround."

How to upgrade BIND on Plesk Windows see http://kb.parallels.com/5542

We will be providing upgraded versions as a patch and then again in our next major release. We will provide a further update on timing after we have fully scoped the effort.

Be sure to review all of your deployment policies as they relate to all servers with these versions of Bind.

Thanks,
Parallels Plesk Panel Team

©1999-2010 Parallels. Virtualization and Automation Software. All Rights Reserved.

This message was intended for: x@xxx.de. You were added to the system October 26, 2009.

To update you subscription options, click here. Use this link to Unsubscribe.
Parallels, Inc.
500 SW 39th St, Suite 200
Renton, WA 98057
 
Last edited by a moderator:

wstuermer

Blog Benutzer
This message is a correction to a previous notification sent last week. We inadvertantly cited the wrong security announcement from BIND, and that information has been corrected below.

BIND has announced a vulnerability that can result in a denial of service (server crash) caused by receipt of a specific remote dynamic update message.

Please be aware that this vulnerability will affect all servers that have Bind 9.7.1 or 9.7.2 installed. Parallels Plesk Panel 9.5 for windows and Parallels Plesk Panel 10 for windows ships with this version of bind and these servers should be upgraded to Bind 9.7.3 immediately.

The vulnerability is described as follows:

http://www.isc.org/software/bind/advisories/cve-2011-0414

"When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition."

How to upgrade BIND on Plesk Windows: http://kb.parallels.com/5542

We will be providing upgraded versions as a patch and then again in our next major release. We will provide a further update on timing after we have fully scoped the effort.

Be sure to review all of your deployment policies as they relate to all servers with these versions of Bind.

Thanks,
Parallels Plesk Panel Team

©1999-2010 Parallels. Virtualization and Automation Software. All Rights Reserved.
 
Last edited by a moderator:
Top