BIND Nameservers Vulnerable to ‘Critical’ DoS Vulnerability

The Internet Systems Consortium (ISC) has shipped a patch to cover a “critical” denial-of-service (DoS) vulnerability for some versions of BIND, the open-source software that implements the Domain Name System (DNS) protocols for the Internet.

According to an advisory issued by the Consortium, a specially crafted query can cause vulnerable installations of BIND to terminate abnormally.

“A specially crafted query that includes malformed rdata can cause named to terminate with an assertion failure while rejecting the malformed query,” according to the advisory.

The ISC said the issue may already be subject to remote, in-the-wild exploitation since July 26, 2013.

“Crashes have been reported by multiple ISC customers,” the group said, warning that there are no known workarounds.

BIND versions affected:

Open source: 9.7.0->9.7.7, 9.8.0->9.8.5-P1, 9.9.0->9.9.3-P1, 9.8.6b1 and 9.9.4b1; Subscription: 9.9.3-S1 and 9.9.4-S1b1

The ISC warned that authoritative and recursive servers are equally vulnerable. “Intentional exploitation of this condition can cause a denial of service in all nameservers running affected versions of BIND 9. Access Control Lists do not provide any protection from malicious clients,” it added.

“In addition to the named server, applications built using libraries from the affected source distributions may crash with assertion failures triggered in the same fashion,” ISC said.

The ISC is encouraging BIND users to immediately upgrade to the patched release most closely related to your current version of BIND.

Related Reading: In Defense of BIND: Open Source DNS Software Yields a Better Breed of Secure Product