Patch Available for DoS Vulnerability in BIND Nameservers

ISC has patched a denial of service vulnerability in certain versions of BIND 9.

A denial-of-service vulnerability in certain versions of BIND name servers has been patched, and network managers are urged to upgrade quickly to a secure version of the DNS software.

Attackers sending specially crafted queries with malformed data to a vulnerable BIND server could cause the system to crash.

“Authoritative and recursive servers are equally vulnerable,” according to an alert from the Internet Systems Consortium (ISC), which runs BIND. “Intentional exploitation of this condition can cause a denial of service in all nameservers running affected versions of BIND 9. Access Control Lists do not provide any protection from malicious clients.”

Open source versions 9.7.0 to 9.7.7, 9.8.0 to 9.8.5, 9.9.0 to 9.9.3-P1, and 9.8.6b1 to 9.9.4b1 are vulnerable, as are subscription versions 9.9.3-S1 and 9.9.4-S1b1.

The ISC also warns that all versions of BIND 9.7 are vulnerable but these versions are no longer supported and do not receive security patches from ISC.

“In addition to the named server, applications built using libraries from the affected source distributions may crash with assertion failures triggered in the same fashion,” ISC warns.

ISC adds that users should upgrade to a patch release most closely related to the current BIND version running in your environment.

According to a post on the Full Disclosure mailing list, the malformed rdata will cause a named daemon to crash while rejecting the malformed query.

More than a month ago, ISC patched a remotely exploitable denial of service flaw in BIND 9. An attacker exploiting the bug could crash recursive resolvers with a RUNTIME_CHECK error in resolver.c, the advisory said. That bug affected BIND 9.6-ESV-R9, 9.8.5, and 9.9.3 but did not affect versions 9.6.0 through 9.6-ESV-R8, 9.8.0 through 9.8.4-P2, and 9.9.0 through 9.9.2-P2.

These flaws come on the heels of a major vulnerability discovered and patched in late March that implicated millions of DNS servers running on UNIX systems. Exploits could not only crash DNS servers, but also compromise other applications running on a BIND server.

“A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server.  This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine,” the security advisory from the Internet Systems Consortium, which maintains BIND, says.

Suggested articles