BIND Patched, But Still Vulnerable

Friday, October 14, 2016 @ 03:10 PM gHale

Just because a patch goes out, it does not mean the device or software is safe.

One case in point is a denial-of-service (DoS) vulnerability patched last month in DNS software BIND is now undergoing exploitation and systems are crashing.

BIND DoS Holes Fixed
OpenSSL Patches Previous Fix
OpenSSL Patches Slew of Vulnerabilities
Patched OpenSSL Hole Still an Issue

The vulnerability, discovered by the Internet Systems Consortium (ISC) and tracked as CVE-2016-2776, ended up fixed late last month with the release of BIND 9.9.9-P3, 9.10.4-P3 and 9.11.0rc3. The vulnerability can end up leveraged for DoS attacks using specially crafted DNS packets.

On October 4, shortly after proof-of-concept (PoC) code and a Metasploit module were made available, the ISC said it had learned of server crashes apparently resulting from exploitation of this vulnerability. Japan’s National Police Agency also issued an alert to warn users of “indiscriminate attacks.”

The vulnerability falls in line with how a DNS server constructs a response to certain queries. If the response to a query has a size larger than the default 512, it can lead to a crash of the BIND name server (named) process.

Researchers at Trend Micro described the cause of the vulnerability:

“When a DNS server constructs a response for a DNS Query, it reserves the space in the response buffer (of size 512 by default), it will increment the msg->reserved by the size required for Answer RR. The size also adds up in msg->reserved size, which would be the same if the response buffer has other Resource Records.

“Before patching, the server does not take fixed 12-byte DNS headers into consideration, which also adds to the response traffic after rendering the Resource Records from Query through function dns_message_rendersection(). So if the DNS response(r.length) traffic is less than 512 bytes (msg->reserved), the function will return true, but adding the fixed 12-byte header will cause the service to terminate if it exceeds the fixed reserved size of 512 bytes.”