ISC Patches Critical Error Condition in BIND

The Internet Systems Consortium patched the BIND domain name system this week, addressing what it calls a critical error condition in the software.

The Internet Systems Consortium patched the BIND domain name system this week, addressing what it calls a critical error condition in the software.

A security advisory on ISC’s Knowledge Base on Tuesday acknowledges an attacker can exploit the vulnerability remotely and likely for that reason, marks the issue as high severity.

The issue stems from a defect in the rendering of messages into packets when a nameserver is constructing a response, according to the ISC, which has maintained BIND since 2000.

The bug affects a handful of versions of the software, including versions 9.0.x to 9.8.x, 9.9.0 to 9.9.9-P2, 9.9.3-S1 to 9.9.9-S3, 9.10.0 to 9.10.4-P2, and 9.11.0a1 to 9.11.0rc1.

If exploited, the vulnerability can lead to “an assertion failure in buffer.c while constructing a response to a query that meets certain criteria,” ISC warns, adding that it can be triggered “even if the apparent source address isn’t allowed to make queries (i.e. doesn’t match ‘allow-query’).”

While the ISC claims the vulnerability isn’t being exploited in the wild, it’s still cautioning that all servers, assuming they can receive request packets from any source, are vulnerable.

Users running BIND 9 are being urged to update to either version 9.9.9-P3, version 9.10.4-P3, or version 9.11.0rc3 – whichever release matches closest to their current version.

BIND is easily the most ubiquitous Domain Name System (DNS) software deployed on the Internet. Despite being so widespread, this is only the seventh vulnerability identified in the software so far this year. Before this, the most recent issue, which surfaced in July, revolved around a less pressing error that could have led to a denial of service condition in BIND’s implementation of the lightweight resolver protocol.

Suggested articles

Discussion

  • Vicky on

    It is not that important to this article, but there is an error. ISC wrote and has maintained BIND since before BIND 9 was published in 2000. (not 2012, as stated) https://www.isc.org/history-of-bind/
    • Chris Brook on

      Fixed! Not sure where I got that from.
  • Maxim Zaitsev on

    The main link is wrong, should be https://kb.isc.org/article/AA-01419/74/CVE-2016-2776%3A-Assertion-Failure-in-buffer.c-While-Building-Responses-to-a-Specifically-Constructed-Request.html

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.