Remote Denial of Service Vulnerability Patched in BIND

The Internet Systems Consortium (ISC) has released security updates for the BIND DNS daemon in order to address two serious vulnerabilities that can crash servers.

"A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet. This defect affects both recursive and authoritative servers," the organization warns in one advisory.

The nature of the bug makes it impossible to protect servers via access lists or by disabling features when compiling or running the daemon.

If the server is not facing the Internet, an attacker can still target it via malware installed on computers inside the network where it is located.

The vulnerability carries a CVSS score of 7.8 out of 10. The solution is to upgrade immediately to BIND 9.6-ESV-R4-P3, 9.7.3-P3 or 9.8.0-P4.

"ISC thanks Roy Arends from Nominet for pin-pointing the exact nature of the vulnerability. We also thank Ramesh Damodaran of Infoblox for finding a variation of the attack vector and Mats Dufberg of TeliaSonera Sweden for confirming additional variants," the organization said.

The second issue patched in the popular DNS daemon concerns two defects that affect BIND 9 servers with recursion enabled and which use Response Policy Zones (RPZ).

This issue can lead to a server crash, but because the RPZ needs to contain specific rules/action patterns for this to happen, the risks are more limited.

The vulnerability carries a CVSS score of 7.8, but it cannot be exploited remotely. The solution is to upgrade to BIND 9.8.0-P4 as soon as possible or not put certain CNAME or any DNAME records into an RPZ zone.

BIND is the most widely used DNS server software and is distributed by default with the majority of Unix and Linux platforms. It is being maintained by the Internet Systems Consortium (ISC), a non-profit corporation that develops and maintains several software projects critical to the Internet infrastructure.