The Internet Systems Consortium (ISC) announced on Tuesday the release of BIND 9.10.2-P3 and BIND 9.9.7-P2. The updates for the popular Domain Name System (DNS) software address a critical denial-of-service (DoS) vulnerability that affects almost all BIND servers.
The remotely exploitable vulnerability (CVE-2015-5477) involves an error in the handling of TKEY record queries. An attacker can use a specially crafted DNS request packet to trigger a REQUIRE assertion failure and cause BIND to exit.
The security bug reported by Jonathan Foote affects BIND 9.1.0 through 9.8.x, BIND 9.9.0 through 9.9.7-P1, and BIND 9.10.0 through 9.10.2-P2. The vulnerability affects both recursive and authoritative servers, and it cannot be mitigated by access control lists (ACLs) or configuration options because the vulnerable code is triggered early in the handling of the packet.
The vulnerability has been rated “critical” because it affects almost all BIND servers, not just ones that have been configured in a certain manner. Furthermore. there are no workarounds for this problem.
“The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer,” explained Michael McNally of the ISC. “I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind.”
Users are advised to install BIND 9.10.2-P3 or BIND 9.9.7-P2 as soon as possible. Amazon, Red Hat and others have already taken steps to protect their customers against potential attacks.
ISC has announced that BIND 9.9 (Extended Support Version) will be supported until June 2017. The end of life for BIND 9.10 has not been determined yet but support will not end before BIND 9.12.0 has been released for 6 months.