The Internet Systems Consortium (ISC) announced on Wednesday the availability of BIND 9.10.2-P4 and BIND 9.9.7-P3. The latest versions of the popular DNS software patch a couple of critical denial-of-service (DoS) vulnerabilities.
The first flaw is related to an incorrect boundary check in openpgpkey_61.c (CVE-2015-5986). This can lead to a REQUIRE assertion failure that causes the BIND name server (named) process to terminate. An attacker can exploit the vulnerability by using a maliciously crafted response to answer a query.
“Recursive servers are at greatest risk from this defect but some circumstances may exist in which the attack can be successfully exploited against an authoritative server,” ISC wrote in an advisory.
The second vulnerability, reported by Hanno Böck of the Fuzzing Project, is triggered when a malformed DNSSEC key is parsed (CVE-2015-5722). This results in a failed assertion in buffer.c, which causes BIND to exit.
A remote attacker can exploit this security hole to cause a DOS condition by using a query that requires a response from a zone containing an intentionally created malformed key.
“Recursive servers are at greatest risk but an authoritative server could be affected if an attacker controls a zone the server must query against to perform its zone service,” ISC said in a different advisory.
CVE-2015-5986 affects BIND versions 9.9.7 through 9.9.7-P2, and 9.10.2 through 9.10.2-P3. CVE-2015-5722 impacts BIND versions 9.0.0 through 9.8.8, 9.9.0 through 9.9.7-P2, and 9.10.0 through 9.10.2-P3.
ISC says there is no evidence that either of these vulnerabilities have been exploited in the wild. Nevertheless, users should update their servers to the patched versions as soon as possible.
DoS flaws affecting BIND can be very dangerous. One such vulnerability, patched by ISC in late July, has been exploited in the wild to target DNS servers.
In the advisory published for CVE-2015-5722, ISC also thanked the developers of American Fuzzy Lop (AFL), a fuzzing tool that has been instrumental in the discovery of recently patched BIND flaws.
This is not surprising. Google’s Michał Zalewski (lcamtuf), the man behind AFL, conducted a survey to find out what tools are being used by researchers to discover critical vulnerabilities in popular software. Partial results of the study show that fuzzers are used in a majority of cases and AFL is the most popular.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
Latest News
- Consolidate Vendors and Products for Better Security
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
