14 DAY TRIAL // BIND maintainer Internet Systems Consortium (ISC) has released an update which fixes a high risk, remotely exploitable, denial-of-service vulnerability in the DNS server software.
Identified as CVE-2011-0414, the flaw affects BIND versions 9.7.1 and 9.7.2, and was discovered by Neustar, the company responsible for the .us and .biz root zones.
The flaw can be exploited by sending an IXFR transfer or a dynamic update followed by a query to the DNS server, which will cause it to lock down and fail to process further requests.
"When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur," the ISC explains in its advisory.
The vulnerability is rated with a high severity level and has a CVSS base score of 7.1. The recommended course of action is to upgrade to the newly released BIND 9.7.3.
However, if that's not possible, a workaround involves using the -n1 option, which restricts the number of worker threads to one.
This is only practical on servers with powerful CPUs or reduced loads, where a single processor can handle all the processing.
ISC notes that older supported versions, such as BIND 9.6.x, 9.6-ESV-Rx, or 9.4-ESV-R4, are not affected by this vulnerability. Neither is the upcoming BIND 9.8, which is currently in RC state.
If there are still users running BIND 9.5, they should upgrade immediately, because that version has reached End of Life and will no longer receive patches or support.
The US Computer Emergency Readiness Team (US-CERT) has also published an advisory about this vulnerability and encourages everyone to apply the update.
BIND is the most widely used DNS server software and is distributed by default with the vast majority of Unix and Linux platforms.