The Internet Systems Consortium (ISC) announced on Tuesday the release of BIND 9.10.2-P3 and BIND 9.9.7-P2. The updates for the popular Domain Name System (DNS) software address a critical denial-of-service (DoS) vulnerability that affects almost all BIND servers.
The remotely exploitable vulnerability (CVE-2015-5477) involves an error in the handling of TKEY record queries. An attacker can use a specially crafted DNS request packet to trigger a REQUIRE assertion failure and cause BIND to exit.
The security bug reported by Jonathan Foote affects BIND 9.1.0 through 9.8.x, BIND 9.9.0 through 9.9.7-P1, and BIND 9.10.0 through 9.10.2-P2. The vulnerability affects both recursive and authoritative servers, and it cannot be mitigated by access control lists (ACLs) or configuration options because the vulnerable code is triggered early in the handling of the packet.
The vulnerability has been rated “critical” because it affects almost all BIND servers, not just ones that have been configured in a certain manner. Furthermore. there are no workarounds for this problem.
“The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer,” explained Michael McNally of the ISC. “I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind.”
Users are advised to install BIND 9.10.2-P3 or BIND 9.9.7-P2 as soon as possible. Amazon, Red Hat and others have already taken steps to protect their customers against potential attacks.
ISC has announced that BIND 9.9 (Extended Support Version) will be supported until June 2017. The end of life for BIND 9.10 has not been determined yet but support will not end before BIND 9.12.0 has been released for 6 months.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
Latest News
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
