A “critical” security flaw reported in BIND, the most widely used DNS server software, could allow attackers to crash domain name servers, according to the Internet Systems Consortium (ISC), which maintains BIND.
The flaw is particularly noteworthy in light of a massive distributed denial-of-service (DDoS) attack carried out recently against anti-spam organisation Spamhaus, said to be the largest ever recorded. The culprits relied on an increasingly popular technique called DNS reflection that makes use of DNS servers to amplify the effect of an attack.
The flaw affects the version of BIND used on Linux and Unix systems, but doesn’t affect the Windows version. BIND is the de facto standard DNS server software on Unix. Other programs using BIND’s libdns library are also potentially vulnerable to the same attack.
“A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server,” ISC said in a security advisory. “This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine.”
ISC said versions 9.7.x, 9.8.0 to 9.8.5b1 and 9.9.0 to 9.9.3b1 are affected. Versions earlier than BIND 9.7.0 are not affected, nor is BIND 10, but ISC remarked that BIND 10 is not feature-complete and may not be suitable as a replacement for earlier versions.
Patched versions of BIND called 9.9.2-P2 and 9.8.4-P2 have been released, eliminating the flaw by disabling support for regular expressions, while ISC said a workaround is for administrators to manually recompile BIND without regular expression support. BIND 9.7 is no longer being supported and will not be patched, but the re-compilation technique is also effective on this version, ISC said.
While no exploit is currently known to be available, ISC said this flaw would not be difficult for an attacker to make use of, and urged system administrators to patch their systems immediately.
On the Full Disclosure mailing list last week, a programmer named Daniel Franke said he had developed an exploit in “approximately ten minutes”.
“I didn’t even have to write any code to do it, unless you count regexes [regular expressions] or BIND zone files as code,” Franke wrote. “It probably will not be long before someone else takes the same steps and this bug starts getting exploited in the wild.”
“This… stands out from most other BIND vulnerabilities due to its ease of exploitation,” Franke added.
ISC manager of quality Jeff Wright responded that Franke’s method of exploitation is only one of many that attackers could use to attack affeted DNS servers.
“The vector identified by Mr. Franke is not the only one possible,” Wright wrote on Full Disclosure. “Operators of any recursive or authoritative nameservers running an unpatched installation of an affected version of BIND should consider themselves vulnerable to this security issue.”
Are you a security pro? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…