Four BIND Patches Release

Friday, January 13, 2017 @ 02:01 PM gHale


Four patches released for DNS software BIND fixing four high-severity, remotely exploitable denial-of-service (DoS) vulnerabilities, according to a report from US-CERT.

Exploiting the flaws can cause the BIND name server (named) process to encounter an assertion failure and stop executing, resulting in a DoS condition for clients.

RELATED STORIES
BIND Patched, But Still Vulnerable
New Exploit Kit Attempts to Fill Void
Exploit Distribution Evolving
ICS Lookout: New Ransomware in Town

Internet Systems Consortium (ISC) described the vulnerabilities. For the vulnerability with the CVE-2016-9131 case number, a malformed query response received by a recursive server in response to a query of RTYPE ANY could trigger an assertion failure while named is attempting to add the RRs in the query response to the cache. While the combination of properties which triggers the assertion should not occur in normal traffic, it is potentially possible for the assertion to end up triggered deliberately by an attacker sending a specially-constructed answer having the required properties, after having engineered a scenario whereby an ANY query is sent to the recursive server for the target QNAME.

For the issue with the CVE-2016-9147 case number, depending on the type of query and the EDNS options in the query they receive, DNSSEC-enabled authoritative servers should include RRSIG and other RRsets in their responses to recursive servers. DNSSEC-validating servers will also make specific queries for DS and other RRsets.

For the issue labeled CVE-2016-9444, an unusually-formed answer containing a DS resource record could trigger an assertion failure. While the combination of properties which triggers the assertion should not occur in normal traffic, it is potentially possible for the assertion to be triggered deliberately by an attacker sending a specially-constructed answer having the required properties.

For the fourth vulnerability with the case number CVE-2016-9778, an error in handling certain queries can cause an assertion failure when a server is using the nxdomain-redirect feature to cover a zone for which it is also providing authoritative service. A vulnerable server could be intentionally stopped by an attacker if it was using a configuration that met the criteria for the vulnerability and if the attacker could cause it to accept a query that possessed the required attributes.

The vulnerabilities ended up patched with the release of BIND versions 9.9.9-P5, 9.10.4-P5, 9.11.0-P2 and 9.9.9-S7, according to the US-CERT report.

ISC said it was not aware of active exploits for any of these vulnerabilities. The organization sent out advance notifications for these flaws on January 3.



Leave a Reply

You must be logged in to post a comment.