The Internet Systems Consortium (ISC) has shipped a patch to cover a “critical” denial-of-service (DoS) vulnerability for some versions of BIND, the open-source software that implements the Domain Name System (DNS) protocols for the Internet.
According to an advisory issued by the Consortium, a specially crafted query can cause vulnerable installations of BIND to terminate abnormally.
“A specially crafted query that includes malformed rdata can cause named to terminate with an assertion failure while rejecting the malformed query,” according to the advisory.
The ISC said the issue may already be subject to remote, in-the-wild exploitation since July 26, 2013.
“Crashes have been reported by multiple ISC customers,” the group said, warning that there are no known workarounds.
BIND versions affected:
Open source: 9.7.0->9.7.7, 9.8.0->9.8.5-P1, 9.9.0->9.9.3-P1, 9.8.6b1 and 9.9.4b1; Subscription: 9.9.3-S1 and 9.9.4-S1b1
The ISC warned that authoritative and recursive servers are equally vulnerable. “Intentional exploitation of this condition can cause a denial of service in all nameservers running affected versions of BIND 9. Access Control Lists do not provide any protection from malicious clients,” it added.
“In addition to the named server, applications built using libraries from the affected source distributions may crash with assertion failures triggered in the same fashion,” ISC said.
The ISC is encouraging BIND users to immediately upgrade to the patched release most closely related to your current version of BIND.
Related Reading: In Defense of BIND: Open Source DNS Software Yields a Better Breed of Secure Product

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
- Researchers Spot APTs Targeting Small Business MSPs
- Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
- Red Hat Pushes New Tools to Secure Software Supply Chain
- Investors Make $6M Bet on Manifest for SBOM Management Technology
Latest News
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Zoom Expands Privacy Options for European Customers
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Apple Unveils Upcoming Privacy and Security Features
