Signature Can Crash Bind Name Servers

Wednesday, June 1, 2011 @ 03:06 PM gHale

Where a Bind name server acts as a caching resolver, it is vulnerable to DoS attacks which could cause it to crash, according to the Internet Systems Consortium (ISC).

ISC describes the issue in its advisory Large RRSIG RRsets and Negative Caching can crash named and categorizes the problem, which an attacker can trigger remotely, as “high” severity.

The DNSSEC extension plays a key role in the latest security problem to hit the widely used name server. It appears the internal memory manager can become confused when it has to cache signed entries for non-existent domains. ISC’s Larissa Shapiro has confirmed servers which do not themselves offer DNSSEC functionality are also vulnerable.

To exploit the bug an attacker must be running a DNSSEC-signed authority server for a domain, according to ISC.

He would then be able to induce DNS lookups for non-existent names on that domain (for example by sending out spam), which would trigger the bug on the vulnerable name server.

Versions 9.4-ESV-R3, 9.6-ESV-R2, 9.6.3, 9.7.1, 9.8.0 and earlier are all affected. ISC has released updates which should fix the problem.



Leave a Reply

You must be logged in to post a comment.