The maintainers of BIND have patched a critical remotely exploitable vulnerability in the DNS software that can be used in a denial-of-service attack. The vulnerability affects all versions of BIND from 9.1.0 through 9.9.7.
The vulnerability is in the way that BIND handles certain queries related to transaction key records. The bug is fixed in BIND versions 9.9.7-P2 and P3.
“An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit,” the advisory from the Internet Systems Consortium, which maintains BIND, says.
“Both recursive and authoritative servers are vulnerable to this defect. Additionally, exposure is not prevented by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling, before checks enforcing those boundaries.”
BIND is the most widely deployed name server software on the Internet and The TKEY flaw is an especially problematic one for administrators running name servers, as the ISC says there is no real workaround and defending against the bug can be quite difficult.
“Many of our bugs are limited in scope or affect only users having a particular set of configuration choices. CVE-2015-5477 does not fall into that category. Almost all unpatched BIND servers are potentially vulnerable. We know of no configuration workarounds. Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then. And the fix for this defect is very localized to one specific area of the BIND code,” Michael McNally said in a special note on the vulnerability.
McNally added that there’s a good possibility that practical attacks against CVE-2015-5477 will emerge in short order.
“The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer. I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind,” McNally said.
The ISC has released the two new versions to fix the TKEY vulnerability. There is also a second security fix in the new versions, though it’s less serious than the TKEY bug.
“On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server,” the BIND release notes say.