Vulnerability discovered in BIND could allow Denial of Service

ITS Advisory Number: 
2015-086
Date(s) Issued: 
Tuesday, August 4, 2015
Subject: 
Vulnerability discovered in BIND could allow Denial of Service
Overview: 

A recently disclosed vulnerability in BIND makes it possible for an attacker to crash any server running a vulnerable version of the software. BIND is the most widely used software for Domain Name Systems (DNS). They translate human-friendly domain names into IP addresses used on networking devices.

Successful exploitation could result in an attacker crashing the server and causing a denial of service condition.

Systems Affected: 
  • 9.1.0 to 9.8.x
  • 9.9.0 to 9.9.7-P1
  • 9.10.0 to 9.10.2-P2
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

A vulnerability has been discovered in BIND's "TKEY" feature.  The vulnerability, which involves the way that BIND handles some queries related to transaction key records, resides in all major versions of the software from 9.1.0 to 9.8.x, 9.9.0 to 9.9.7-P1, and 9.10.0 to 9.10.2-P2. Attackers can exploit it by sending vulnerable servers a malformed packet which will cause the server to crash.  Exploit code for this vulnerability is available publicly and being used against public DNS servers to cause them to crash.

Recursive and authoritative servers are vulnerable to this defect. Exposure is not prevented by ACLs or configuration options limiting or denying service as the exploitable code occurs early in the packet handling, before checks enforcing those boundaries.  There's no workaround for the vulnerability, administrators will need to apply the latest patch and restart BIND to stop attacks. Major Linux distributions including Red Hat, CentOS and Ubuntu have issued patches.

Actions: 
  • After appropriate testing, immediately apply appropriate update to BIND.