Security Updates for BIND DNS Software Fix Multiple Vulnerabilities

BIND, the most widely used Domain Name System (DNS) software, has been updated to address several remotely exploitable vulnerabilities, the Internet Systems Consortium (ISC) announced on Monday.

One of the flaws (CVE-2014-8500), reported by Florian Maury of the French government information security agency ANSSI, can be exploited to crash BIND or cause memory exhaustion.

“By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND 9 uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation.  This can lead to resource exhaustion and denial of service (up to and including termination of the named server process),” ISC noted in an advisory.

The vulnerability, rated critical, affects BIND versions 9.0.x through 9.8.x, 9.9.0 through 9.9.6, and 9.10.0 through 9.10.1. The security hole has been addressed with the release of BIND 9.9.6-P1 and BIND 9.10.1-P1.

A number of high-severity flaws that can be exploited to cause BIND to crash (CVE-2014-8680) have been identified in the GeoIP features added in BIND 9.10.

“Two are capable of crashing BIND — triggering either can cause named to exit with an assertion failure, resulting in a denial of service condition.  A third defect is also corrected, which could have caused GeoIP databases to not be loaded properly if their location was changed while BIND was running,” ISC noted in a separate advisory.

 These vulnerabilities, reported by Felipe Ecker of Azion Technologies, affect only servers that were compiled with GeoIP enabled. Users who don’t know if their servers include this functionality can check the output of the command “named -V” for the string “–with-geoip.”

ISC advises users and administrators to upgrade their installations to BIND 9.10.1-P1 to address the GeoIP issues. However, workarounds are also available.

The organization says it’s not aware of any active exploits for these vulnerabilities.

BIND 9.6-ESV and BIND 9.8 have reached their end of life and no longer receive updates. Users of these versions are advised to transition to supported branches. However, because CVE-2014-8500 is considered a critical issue, ISC is providing source code diffs for these older versions on request.

While no exploits have been spotted in the wild for these vulnerabilities, there have been cases where denial-of-service (DoS) flaws impacting BIND have been leveraged to cause servers to crash. In July 2013, ISC released a patch to address an issue that had been exploited to crash BIND nameservers.