Remotely exploitable bug discovered in the popular DNS software

Jul 29, 2009 08:57 GMT  ·  By

Internet Systems Consortium (ISC), the maintainer of BIND, advises that a critical vulnerability allows attackers to perform denial of service attacks by sending malformed dynamic update messages to DNS servers using the software. Administrators are urged to deploy patches for their operating system immediately, if available.

BIND is the most widely used DNS server software and is distributed by default with the vast majority of Unix and Linux platforms. This latest DoS bug affects all versions of BIND 9, the latest major revision of the software, up to 9.4.3-P3, 9.5.1-P3 and 9.6.1-P1, which are not vulnerable.

"Receipt of a specially crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit," ISC writes in its advisory and warns that, "An active remote exploit is in wide circulation at this time."

Vincent Danen of the Red Hat Security Team explains that exploitability is limited by the fact that an attacker would need to have the RNDC key, which should normally be required, and also know an existent FQDN (Fully Qualified Domain Name). ISC also mentions that there are no workarounds available, however, the community has provided some suggestions. "One standard best practice is to have one master and multiple slaves and to protect that master (no exposure to the Internet)," Michael H. Warfield of IBM Internet Security Systems writes.

Matthias Urlichs is credited with the discovery of this flaw and his proof-of-concept exploit code is written in Perl. "Interestingly, the reproducer [exploit] is a clever one as it does not exit when named [name daemon – alternative name for bind9] crashes, so if named is restarted or is running under a supervision service to auto-restart, just leaving the reproducer running will continue to cause it to crash indefinitely unless the attacking IP is firewalled off," Vincent Danen notes.

The Debian Project has addressed this flaw in the bind9 9.6.1.dfsg.P1-1 package. Meanwhile, Canonical has released updates for Ubuntu 6.06 LTS (bind9 9.3.2-2ubuntu1.7), Ubuntu 8.04 LTS (bind9 9.4.2.dfsg.P2-2ubuntu0.2), Ubuntu 8.10 (bind9 9.5.0.dfsg.P2-1ubuntu3.2) and Ubuntu 9.04 (bind9 9.5.1.dfsg.P2-1ubuntu0.1). A patch that corrects this issue in Red Hat Enterprise Linux is also available.