Vulnerability discovered in BIND could allow Denial of Service

ITS Advisory Number: 
Date(s) Issued: 
Tuesday, August 4, 2015
Vulnerability discovered in BIND could allow Denial of Service

A recently disclosed vulnerability in BIND makes it possible for an attacker to crash any server running a vulnerable version of the software. BIND is the most widely used software for Domain Name Systems (DNS). They translate human-friendly domain names into IP addresses used on networking devices.

Successful exploitation could result in an attacker crashing the server and causing a denial of service condition.

Systems Affected: 
  • 9.1.0 to 9.8.x
  • 9.9.0 to 9.9.7-P1
  • 9.10.0 to 9.10.2-P2
Large and medium government entities: 
Small government entities: 
Large and medium business entities: 
Small business entities: 
Home Users: 

A vulnerability has been discovered in BIND's "TKEY" feature.  The vulnerability, which involves the way that BIND handles some queries related to transaction key records, resides in all major versions of the software from 9.1.0 to 9.8.x, 9.9.0 to 9.9.7-P1, and 9.10.0 to 9.10.2-P2. Attackers can exploit it by sending vulnerable servers a malformed packet which will cause the server to crash.  Exploit code for this vulnerability is available publicly and being used against public DNS servers to cause them to crash.

Recursive and authoritative servers are vulnerable to this defect. Exposure is not prevented by ACLs or configuration options limiting or denying service as the exploitable code occurs early in the packet handling, before checks enforcing those boundaries.  There's no workaround for the vulnerability, administrators will need to apply the latest patch and restart BIND to stop attacks. Major Linux distributions including Red Hat, CentOS and Ubuntu have issued patches.

  • After appropriate testing, immediately apply appropriate update to BIND.