The Internet Systems Consortium (ISC) announced on Wednesday the availability of BIND 9.10.2-P4 and BIND 9.9.7-P3. The latest versions of the popular DNS software patch a couple of critical denial-of-service (DoS) vulnerabilities.
The first flaw is related to an incorrect boundary check in openpgpkey_61.c (CVE-2015-5986). This can lead to a REQUIRE assertion failure that causes the BIND name server (named) process to terminate. An attacker can exploit the vulnerability by using a maliciously crafted response to answer a query.
“Recursive servers are at greatest risk from this defect but some circumstances may exist in which the attack can be successfully exploited against an authoritative server,” ISC wrote in an advisory.
The second vulnerability, reported by Hanno Böck of the Fuzzing Project, is triggered when a malformed DNSSEC key is parsed (CVE-2015-5722). This results in a failed assertion in buffer.c, which causes BIND to exit.
A remote attacker can exploit this security hole to cause a DOS condition by using a query that requires a response from a zone containing an intentionally created malformed key.
“Recursive servers are at greatest risk but an authoritative server could be affected if an attacker controls a zone the server must query against to perform its zone service,” ISC said in a different advisory.
CVE-2015-5986 affects BIND versions 9.9.7 through 9.9.7-P2, and 9.10.2 through 9.10.2-P3. CVE-2015-5722 impacts BIND versions 9.0.0 through 9.8.8, 9.9.0 through 9.9.7-P2, and 9.10.0 through 9.10.2-P3.
ISC says there is no evidence that either of these vulnerabilities have been exploited in the wild. Nevertheless, users should update their servers to the patched versions as soon as possible.
DoS flaws affecting BIND can be very dangerous. One such vulnerability, patched by ISC in late July, has been exploited in the wild to target DNS servers.
In the advisory published for CVE-2015-5722, ISC also thanked the developers of American Fuzzy Lop (AFL), a fuzzing tool that has been instrumental in the discovery of recently patched BIND flaws.
This is not surprising. Google’s Michał Zalewski (lcamtuf), the man behind AFL, conducted a survey to find out what tools are being used by researchers to discover critical vulnerabilities in popular software. Partial results of the study show that fuzzers are used in a majority of cases and AFL is the most popular.