BIND DoS Holes Filled

Monday, March 14, 2016 @ 04:03 PM gHale


Updates went out for DNS software BIND to address three high severity denial-of-service (DoS) vulnerabilities.

One of the flaws relates to the way BIND parses signature records for DNAME records, said researchers at the Internet Systems Consortium (ISC), which released the updates.

RELATED STORIES
Surveillance App Hole Fixed
Security Vendor Patches Security Issues
Intel Fixes Driver Update Utility
McAfee Application Control Flaws Found

A remote attacker can cause the BIND name server (named) process to crash by sending a specially crafted query.

“Recursive resolvers are at the highest risk of vulnerability to this attack but authoritative-only servers may also be vulnerable if the attacker can control the answers for records requested when the authoritative server is performing service on zones (e.g. a slave server doing SOA queries),” ISC said in its advisory.

“Servers may be affected even if they are not performing validation or have DNSSEC disabled entirely as long as they receive a response containing offending signature records. Disabling DNSSEC does not provide protection against this vulnerability,” the advisory said.

The issue affects BIND versions 9.0.0 through 9.8.8, 9.9.0 through 9.9.8-P3, 9.9.3-S1 through 9.9.8-S5, and 9.10.0 through 9.10.3-P3. The security hole ended up patched with the release of BIND 9.10.3-P4 and 9.9.8-P4.

Another issue patched in BIND is a remotely exploitable vulnerability uncovered by ISC during testing. The bug, related to control channel input handling, can end up exploited by sending named a malformed packet.

“All servers are vulnerable if they accept remote commands on the control channel. Servers which are vulnerable can be stopped by an attacker sending the offending packet if the attacker is sending from a system listed within the address list specified in the ‘controls’ statement (or from localhost if the control channel is using the default address list) resulting in denial of service to clients,” ISC said.

The flaw affects BIND 9.2.0 through 9.8.8, 9.9.0 through 9.9.8-P3, 9.9.3-S1 through 9.9.8-S5, and 9.10.0 through 9.10.3-P3. A patch has been included in versions 9.10.3-P4 and 9.9.8-P4.
The last vulnerability patched by ISC is a hole that can end up leveraged to terminate named by an attacker who can cause servers with DNS cookie support enabled to receive and process a response containing multiple cookie options.

The weakness impacts BIND 9.10.0 through 9.10.3-P3, and ended up fixed with the release of version 9.10.3-P4. ISC pointed out only servers with cookie support enabled are vulnerable, and this option is not a default function if the server ends up built using an ISC-supported source.

ISC said it’s unaware of any exploits targeting these vulnerabilities.