Six Security Flaws Fixed in BIND 9.9.2

A new version of the BIND DNS server software is available, fixing six security vulnerabilities and a long list of other bugs. BIND 9.9.2-P1 is mainly a security update and most of the issues it fixes are crashes and not remote code execution flaws.

A new version of the BIND DNS server software is available, fixing six security vulnerabilities and a long list of other bugs. BIND 9.9.2-P1 is mainly a security update and most of the issues it fixes are crashes and not remote code execution flaws.

BIND is the overwhelming leader in market share for DNS servers and is used in millions of deployments around the world. The software is maintained by the Internet Systems Consortium and can be an attractive target for attackers looking for a way to get a privileged position in a given network. Name servers, such as those run on BIND software, handle the task of resolving queries for specific domain names into the IP addresses associated with them.

BIND 9.9.2-P1 includes a significant number of non-security changes, including fixes for more than 20 bugs. Here is thBINDe list of the security fixes included in the latest version of BIND:

  • Prevents named from aborting with a require assertion failure on servers with DNS64 enabled.  These crashes might occur as a result of  specific queries that are received.  (Note that this fix is a subset of a series of updates that will be included in full in BIND 9.8.5 and 9.9.3 as change #3388, RT #30996).  [CVE-2012-5688] [RT #30792]
  • A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090]
  • Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes.  [CVE-2012-4244]  [RT #30416]
  • Prevents a named assert (crash) when validating caused by using “Bad cache” data before it has been initialized. [CVE-2012-3817]  [RT #30025] 
  • A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644]
  • ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868]  [RT #29539 & #30233]

The newest version of BIND also includes some new security related features, most notably the inclusion of support for Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC. The DNSSEC extension is designed to add an additional layer of integrity and origin authentication for DNS servers.  

Suggested articles