The Internet Systems Consortium (ISC) published a security advisory yesterday resolving a high priority, remotely exploitable denial-of-service vulnerability in BIND 9, the de facto software standard for implementing domain name system protocols online.

There is a defect in BIND 9 that could potentially give a remote attacker the ability to crash recursive resolvers with a RUNTIME_CHECK error in resolver.c. If an attacker were to send a query for a record in a specially malformed zone to the recursive server, it could potentially cause BIND 9 to exit with fatal RUNTIME_CHECK. In other words, triggering the defect here has the impact of causing a service denial to to recursive DNS clients that use that particular server.

The bug affects BIND 9.6-ESV-R9, 9.8.5, and 9.9.3 but does not affect versions 9.6.0 through 9.6-ESV-R8, 9.8.0 through 9.8.4-P2, and 9.9.0 through 9.9.2-P2.

The advisory goes on to note that other versions of BIND are not affected by this vulnerability but that they are also no longer supported by the ISC and may contain any number of other unfixed security bugs.

The ISC is not aware of an instance in which attackers have exploited this vulnerability in the wild. They are classifying the issue as a type II vulnerability, meaning that it has been publicly disclosed because it was written up on a mailing list with enough detail that an attacker could potentially reverse engineer an exploit for the vulnerability.

No workaround exists, but a new version of BIND, which you can find here, provides a solution for the problem. The ISC is recommending that BIND users upgrade to the patched release most closely related to their current version of BIND.

In March, the ISC shipped a security patch that fixed a vulnerability that could have allowed attackers to not only cause DoS conditions on affected servers but also compromise other software on the machines. Up to the point that it was patched, the critically rated flaw affected millions of BIND servers.

Categories: Vulnerabilities