Connect with us

Hi, what are you looking for?


Network Security

Security Updates for BIND DNS Software Fix Multiple Vulnerabilities

BIND, the most widely used Domain Name System (DNS) software, has been updated to address several remotely exploitable vulnerabilities, the Internet Systems Consortium (ISC) announced on Monday.

BIND, the most widely used Domain Name System (DNS) software, has been updated to address several remotely exploitable vulnerabilities, the Internet Systems Consortium (ISC) announced on Monday.

One of the flaws (CVE-2014-8500), reported by Florian Maury of the French government information security agency ANSSI, can be exploited to crash BIND or cause memory exhaustion.

“By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND 9 uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation.  This can lead to resource exhaustion and denial of service (up to and including termination of the named server process),” ISC noted in an advisory.

The vulnerability, rated critical, affects BIND versions 9.0.x through 9.8.x, 9.9.0 through 9.9.6, and 9.10.0 through 9.10.1. The security hole has been addressed with the release of BIND 9.9.6-P1 and BIND 9.10.1-P1.

A number of high-severity flaws that can be exploited to cause BIND to crash (CVE-2014-8680) have been identified in the GeoIP features added in BIND 9.10.

“Two are capable of crashing BIND — triggering either can cause named to exit with an assertion failure, resulting in a denial of service condition.  A third defect is also corrected, which could have caused GeoIP databases to not be loaded properly if their location was changed while BIND was running,” ISC noted in a separate advisory.

 These vulnerabilities, reported by Felipe Ecker of Azion Technologies, affect only servers that were compiled with GeoIP enabled. Users who don’t know if their servers include this functionality can check the output of the command “named -V” for the string “–with-geoip.”

Advertisement. Scroll to continue reading.

ISC advises users and administrators to upgrade their installations to BIND 9.10.1-P1 to address the GeoIP issues. However, workarounds are also available.

The organization says it’s not aware of any active exploits for these vulnerabilities.

BIND 9.6-ESV and BIND 9.8 have reached their end of life and no longer receive updates. Users of these versions are advised to transition to supported branches. However, because CVE-2014-8500 is considered a critical issue, ISC is providing source code diffs for these older versions on request.

While no exploits have been spotted in the wild for these vulnerabilities, there have been cases where denial-of-service (DoS) flaws impacting BIND have been leveraged to cause servers to crash. In July 2013, ISC released a patch to address an issue that had been exploited to crash BIND nameservers. 


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...