Flaw in BIND Servers

Friday, March 29, 2013 @ 05:03 PM gHale

There is a critical vulnerability in BIND 9.7, 9.8, and 9.9 for Unix systems that could allow an attacker to knock vulnerable DNS servers offline or compromise other applications running on those machines.

Those that maintain the application released a patch for it they recommend users install as soon as possible.

BIND DNS Server Hole
Domain Extension Security Risk
Slow Fix: DNS Flaw 5 Years Later
Rogue SSL Certificate Plan Proposed

While the vulnerability is in BIND 9.7, 9.8, and 9.9 for Unix systems, Windows versions do not suffer from the issue. The problem lies in the way the software handles certain regular expressions, and an attacker who exploits the vulnerability could not only cause a denial-of-service condition on the server but also could potentially compromise other software on the machine.

“A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server,” said the security advisory from the Internet Systems Consortium (ISC), which maintains BIND. “This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine.”

“Intentional exploitation of this condition can cause denial of service in all authoritative and recursive nameservers running affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0 through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1 (inclusive)]. Additionally, other services which run on the same physical machine as an affected BIND server could be compromised as well through exhaustion of system memory.”

BIND is the most widely deployed nameserver software used on the Internet and is one of the critical pieces of software that underpins the infrastructure of the Web. Vulnerabilities in BIND packages are a serious problems, more so than an equivalent vulnerability in a less critical server application. While the ISC released a patch for the vulnerability this week, the process of users updating the millions of nameservers running BIND will take months, and a post on the Full Disclosure mailing list makes it clear that patching should be a top priority.

The new vulnerability also is present in some older versions of BIND, namely 9.7, that are past their end of life and no longer receive security fixes. The ISC said a workaround that will prevent exploitation is possible if users recompile BIND without regular expression support.

Leave a Reply

You must be logged in to post a comment.