Support > Control Panel Support

[Plesk] Bind DoS vulnerabilty - Update Plesk 9.5 & 10 for Windows

(1/1)

Chris:
BIND has announced a vulnerability that can result in a denial of service (server crash) caused by receipt of a specific remote dynamic update message.

Please be aware that this vulnerability will affect all servers that have  Bind 9.7.1 or 9.7.2  installed.  Parallels Plesk Panel 9.5 for windows and Parallels Plesk Panel 10 for windows ships with this version of bind and these servers should be upgraded to Bind 9.7.3 immediately.

The vulnerability is described as follows:
http://www.isc.org/software/bind/advisories/cve-2011-0414
"When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition."

How to upgrade BIND on Plesk Windows: http://kb.parallels.com/5542

We will be providing upgraded versions as a patch and then again in our next major release.  We will provide a further update on timing after we have fully scoped the effort.
Be sure to review all of your deployment policies as they relate to all servers with these versions of Bind.
Thanks,
Parallels Plesk Panel Team


The following guide describes the steps on how you can upgrade BIND on Plesk for Windows.

[How to] How to upgrade BIND manually.
Article ID: 5542
Last Review: Feb, 24 2011

APPLIES TO:
    * Parallels Plesk Panel for Windows

Resolution
1. Go to site http://www.isc.org/software/bind and download desirable version of BIND for Windows, e.g.

version 9.4.2
   http://ftp.isc.org/isc/bind9/9.4.2-P2/BIND9.4.2-P2.zip

or version 9.7.3 which was released on 15 Feb 2011
   http://ftp.isc.org/isc/bind9/9.7.3/BIND9.7.3.zip

2. Unzip it;

3. Stop BIND service (Plesk Name Server service);

4. Copy the following set of unzipped files to %plesk_dir%\dns\bin folder:

    Do not overwrite files you have, copy them somewhere for backup purposes.

      BINDInstall.exe
      dig.exe
      dnssec-keygen.exe
      dnssec-signzone.exe
      host.exe
      named.exe
      named-checkconf.exe
      named-checkzone.exe
      named-compilezone.exe
      nslookup.exe
      nsupdate.exe
      rndc-confgen.exe
      rndc.exe
      libbind9.dll
      libeay32.dll
      bindevt.dll
      libdns.dll
      libisccc.dll
      libisccfg.dll
      libisc.dll
      liblwres.dll

    Make sure that permissions are inherited from parent folder %plesk_dir%\dns\bin and look like the following:
       psaadm - allow read & execute
       psaserv     - deny all
       psacln       - deny all

5. Make sure that the Operational System has the version of Microsoft Visual C++ 2005 Redistributable Package installed equaled or higher than the package shipped with the BIND distributive (the "vcredist_x86.exe" file in the archive). The latest version of the Package may be received by the Microsoft article.

6. Start BIND service (Plesk Name Server service).


Feel free to contact SolarVPS Tech Support team by opening a ticket at https://support.solarvps.com if you have any further questions on this issue.

Navigation

[0] Message Index