Connect with us

Hi, what are you looking for?



BIND Updates Patch Two Critical Vulnerabilities

The Internet Systems Consortium (ISC) announced on Wednesday the availability of BIND 9.10.2-P4 and BIND 9.9.7-P3. The latest versions of the popular DNS software patch a couple of critical denial-of-service (DoS) vulnerabilities.

The Internet Systems Consortium (ISC) announced on Wednesday the availability of BIND 9.10.2-P4 and BIND 9.9.7-P3. The latest versions of the popular DNS software patch a couple of critical denial-of-service (DoS) vulnerabilities.

The first flaw is related to an incorrect boundary check in openpgpkey_61.c (CVE-2015-5986). This can lead to a REQUIRE assertion failure that causes the BIND name server (named) process to terminate. An attacker can exploit the vulnerability by using a maliciously crafted response to answer a query.

“Recursive servers are at greatest risk from this defect but some circumstances may exist in which the attack can be successfully exploited against an authoritative server,” ISC wrote in an advisory.

The second vulnerability, reported by Hanno Böck of the Fuzzing Project, is triggered when a malformed DNSSEC key is parsed (CVE-2015-5722). This results in a failed assertion in buffer.c, which causes BIND to exit.

A remote attacker can exploit this security hole to cause a DOS condition by using a query that requires a response from a zone containing an intentionally created malformed key.

“Recursive servers are at greatest risk but an authoritative server could be affected if an attacker controls a zone the server must query against to perform its zone service,” ISC said in a different advisory.

CVE-2015-5986 affects BIND versions 9.9.7 through 9.9.7-P2, and 9.10.2 through 9.10.2-P3. CVE-2015-5722 impacts BIND versions 9.0.0 through 9.8.8, 9.9.0 through 9.9.7-P2, and 9.10.0 through 9.10.2-P3.

Advertisement. Scroll to continue reading.

ISC says there is no evidence that either of these vulnerabilities have been exploited in the wild. Nevertheless, users should update their servers to the patched versions as soon as possible.

DoS flaws affecting BIND can be very dangerous. One such vulnerability, patched by ISC in late July, has been exploited in the wild to target DNS servers.

In the advisory published for CVE-2015-5722, ISC also thanked the developers of American Fuzzy Lop (AFL), a fuzzing tool that has been instrumental in the discovery of recently patched BIND flaws.

This is not surprising. Google’s Michał Zalewski (lcamtuf), the man behind AFL, conducted a survey to find out what tools are being used by researchers to discover critical vulnerabilities in popular software. Partial results of the study show that fuzzers are used in a majority of cases and AFL is the most popular.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.