BIND DoS Holes Fixed

Thursday, September 29, 2016 @ 04:09 PM gHale

Internet Systems Consortium (ISC) released updates for the DNS software BIND that fix two vulnerabilities.

BIND 9.9.9-P3, 9.10.4-P3 and 9.11.0rc3 patch a previously undisclosed denial-of-service (DoS) hole that can end up leveraged using specially crafted DNS request packets.

OpenSSL Patches Previous Fix
OpenSSL Patches Slew of Vulnerabilities
Patched OpenSSL Hole Still an Issue
Warning Software to Protect User

ISC found the vulnerability and it affects all servers that can receive request packets from any source. The CVSS score is 7.8.

“Testing by ISC has uncovered a critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria,” ISC said in its advisory. “This assertion can be triggered even if the apparent source address isn’t allowed to make queries (i.e. doesn’t match ‘allow-query’).”

The BIND release patches a medium severity DoS issue disclosed in mid-July.

“If the lightweight resolver is asked to resolve a query name which, when combined with a search list entry, exceeds the maximum allowable length, the server can terminate due to an error,” ISC said in its advisory. “A server which is affected by this defect will terminate with a segmentation fault error, resulting in a denial of service to client programs attempting to resolve names.”