Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

BIND Updates Patch Two Critical Vulnerabilities

The Internet Systems Consortium (ISC) announced on Wednesday the availability of BIND 9.10.2-P4 and BIND 9.9.7-P3. The latest versions of the popular DNS software patch a couple of critical denial-of-service (DoS) vulnerabilities.

The Internet Systems Consortium (ISC) announced on Wednesday the availability of BIND 9.10.2-P4 and BIND 9.9.7-P3. The latest versions of the popular DNS software patch a couple of critical denial-of-service (DoS) vulnerabilities.

The first flaw is related to an incorrect boundary check in openpgpkey_61.c (CVE-2015-5986). This can lead to a REQUIRE assertion failure that causes the BIND name server (named) process to terminate. An attacker can exploit the vulnerability by using a maliciously crafted response to answer a query.

“Recursive servers are at greatest risk from this defect but some circumstances may exist in which the attack can be successfully exploited against an authoritative server,” ISC wrote in an advisory.

The second vulnerability, reported by Hanno Böck of the Fuzzing Project, is triggered when a malformed DNSSEC key is parsed (CVE-2015-5722). This results in a failed assertion in buffer.c, which causes BIND to exit.

A remote attacker can exploit this security hole to cause a DOS condition by using a query that requires a response from a zone containing an intentionally created malformed key.

“Recursive servers are at greatest risk but an authoritative server could be affected if an attacker controls a zone the server must query against to perform its zone service,” ISC said in a different advisory.

CVE-2015-5986 affects BIND versions 9.9.7 through 9.9.7-P2, and 9.10.2 through 9.10.2-P3. CVE-2015-5722 impacts BIND versions 9.0.0 through 9.8.8, 9.9.0 through 9.9.7-P2, and 9.10.0 through 9.10.2-P3.

ISC says there is no evidence that either of these vulnerabilities have been exploited in the wild. Nevertheless, users should update their servers to the patched versions as soon as possible.

Advertisement. Scroll to continue reading.

DoS flaws affecting BIND can be very dangerous. One such vulnerability, patched by ISC in late July, has been exploited in the wild to target DNS servers.

In the advisory published for CVE-2015-5722, ISC also thanked the developers of American Fuzzy Lop (AFL), a fuzzing tool that has been instrumental in the discovery of recently patched BIND flaws.

This is not surprising. Google’s Michał Zalewski (lcamtuf), the man behind AFL, conducted a survey to find out what tools are being used by researchers to discover critical vulnerabilities in popular software. Partial results of the study show that fuzzers are used in a majority of cases and AFL is the most popular.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.