Internet Systems Consortium Security Updates for BIND

ITS Advisory Number: 
2016-050
Date(s) Issued: 
Thursday, March 10, 2016
Subject: 
Internet Systems Consortium Security Updates for BIND
Overview: 

Multiple vulnerabilities were discovered in Berkeley Internet Name Domain (BIND) that could allow for Denial of Service (DoS). BIND is open source software that implements the Domain Name System (DNS) protocols for the Internet. Servers which are built with DNS cookie support enabled are vulnerable to denial of service if an attacker can cause them to receive and process a response that contains multiple cookie options.

Systems Affected: 
  • BIND 9 version 9.0.0 - >9.8.8
  • BIND 9 version 9.2.0 - >9.8.8
  • BIND 9 version 9.9.0 - >9.9.8-P3
  • BIND 9 version 9.9.3-S1 - >9.9.8-S5
  • BIND 9 version 9.10.0 - >9.10.3-P3
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

Multiple vulnerabilities were discovered in Berkeley Internet Name Domain (BIND) that could allow for Denial of Service (DoS). BIND is open source software that implements the Domain Name System (DNS) protocols for the Internet. Servers which are built with DNS cookie support enabled are vulnerable to denial of service if an attacker can cause them to receive and process a response that contains multiple cookie options. These vulnerabilities are as follows:

  • A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure [CVE-2016-2088]
  • An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c [CVE-2016-1285]
  • A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c [CVE-2016-1286] 
Actions: 
  • Reconfigure and rebuild BIND without enabling cookie support or upgrade to the patch release most closely related to your current version of BIND.
  • Restrict access to the control channel (by using the "controls" configuration statement in named.conf) to allow connection only from trusted systems.
    • If no "controls" statement is present, named defaults to allowing control channel connections only from localhost (127.0.0.1 and ::1) if the file rndc.key exists in the configuration directory and contains valid key syntax
    • If rndc.key is not present and no "controls" statement is present in named.conf, named will not accept commands on the control channel.