Earlier this week, the Internet Systems Consortium (ISC) released a BIND 9 update to fix two serious Denial of Service (DoS) vulnerabilities in the popular, open source DNS server software.
The two DoS flaws differ technically, but essentially share the same scope and impact. By sending specially crafted packets to your BIND 9 server, an attacker could leverage these flaws to either crash BIND, or cause it to exit. In either case, by repeatedly exploiting this flaw an attacker could drastically affect your DNS service, thus preventing your users from browsing the web.
That said, one of the two flaws only affects BIND 9 servers which have recursion enabled, and which use a special feature called “Response Policy Zones (RPZ). In fact, the flaw only affects BIND servers that have RPZ zones with specific rule or action patterns. These factors significantly mitigate the severity of that particular flaw.
In any case, if you run a BIND 9 server, I recommend you download and install the BIND 9.8.0-P4 update to correct these vulnerabilities.
You can learn more about these two vulnerabilities at ISC’s BIND advisory page, or at the individual advisory links below:
- ISC BIND 9 Remote Crash with Certain RPZ Configurations
- ISC BIND 9 Remote packet Denial of Service against Authoritative and Recursive Servers
— Corey Nachreiner, CISSP (@SecAdept)
Leave a Reply