A “critical” security flaw reported in BIND, the most widely used DNS server software, could allow attackers to crash domain name servers, according to the Internet Systems Consortium (ISC), which maintains BIND.
The flaw is particularly noteworthy in light of a massive distributed denial-of-service (DDoS) attack carried out recently against anti-spam organisation Spamhaus, said to be the largest ever recorded. The culprits relied on an increasingly popular technique called DNS reflection that makes use of DNS servers to amplify the effect of an attack.
The flaw affects the version of BIND used on Linux and Unix systems, but doesn’t affect the Windows version. BIND is the de facto standard DNS server software on Unix. Other programs using BIND’s libdns library are also potentially vulnerable to the same attack.
“A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server,” ISC said in a security advisory. “This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine.”
ISC said versions 9.7.x, 9.8.0 to 9.8.5b1 and 9.9.0 to 9.9.3b1 are affected. Versions earlier than BIND 9.7.0 are not affected, nor is BIND 10, but ISC remarked that BIND 10 is not feature-complete and may not be suitable as a replacement for earlier versions.
Patched versions of BIND called 9.9.2-P2 and 9.8.4-P2 have been released, eliminating the flaw by disabling support for regular expressions, while ISC said a workaround is for administrators to manually recompile BIND without regular expression support. BIND 9.7 is no longer being supported and will not be patched, but the re-compilation technique is also effective on this version, ISC said.
While no exploit is currently known to be available, ISC said this flaw would not be difficult for an attacker to make use of, and urged system administrators to patch their systems immediately.
On the Full Disclosure mailing list last week, a programmer named Daniel Franke said he had developed an exploit in “approximately ten minutes”.
“I didn’t even have to write any code to do it, unless you count regexes [regular expressions] or BIND zone files as code,” Franke wrote. “It probably will not be long before someone else takes the same steps and this bug starts getting exploited in the wild.”
“This… stands out from most other BIND vulnerabilities due to its ease of exploitation,” Franke added.
ISC manager of quality Jeff Wright responded that Franke’s method of exploitation is only one of many that attackers could use to attack affeted DNS servers.
“The vector identified by Mr. Franke is not the only one possible,” Wright wrote on Full Disclosure. “Operators of any recursive or authoritative nameservers running an unpatched installation of an affected version of BIND should consider themselves vulnerable to this security issue.”
Are you a security pro? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…