There is a critical vulnerability in several current versions of the BIND nameserver software that could allow an attacker to knock vulnerable DNS servers offline or compromise other applications running on those machines. The bug is present in several versions of the ubiquitous BIND software and the maintainers of the application have released a patch for it that they recommend users install as soon as possible.
The vulnerability is in BIND 9.7, 9.8, and 9.9 for Unix systems, but Windows versions are not affected. The problem lies in the way that the software handles certain regular expressions, and an attacker who exploits the vulnerability could not only cause a denial-of-service condition on the server but also could potentially compromise other software on the machine.
“A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server. This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine,” the security advisory from the Internet Systems Consortium, which maintains BIND, says.
“Intentional exploitation of this condition can cause denial of service in all authoritative and recursive nameservers running affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0 through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1 (inclusive)]. Additionally, other services which run on the same physical machine as an affected BIND server could be compromised as well through exhaustion of system memory.”
BIND is the most widely deployed nameserver software used on the Internet and is one of the critical pieces of software that underpins the infrastructure of the Web. Vulnerabilities in BIND packages are seen as serious problems, more so than an equivalent vulnerability in a less critical server application. While the ISC released a patch for the vulnerability this week, the process of users updating the millions of nameservers running BIND will take months, and a post on the Full Disclosure mailing list makes it clear that patching should be a top priority.
“I think this one stands out from most other BIND vulnerabilities due to its ease of exploitation. It took me approximately ten minutes of work to go from reading the ISC advisory for the first time to developing a working exploit. I didn’t even have to write any code to do it, unless you count regexes or BIND zone files as code. It probably will not be long before someone else takes the same steps and this bug starts getting exploited in the wild,” Daniel Franke said in a message on the mailing list.
“Any server running an affected version of BIND in its default configuration as a recursive resolver, or as an authoritative nameserver that accepts zone transfers from untrusted sources, is made vulnerable by this bug.”
The new vulnerability also is present in some older versions of BIND, namely 9.7, that are past their end of life and no longer receive security fixes. The ISC says that a workaround that will prevent exploitation is possible if users recompile BIND without regular expression support.