BIND Update Patches Critical DoS Vulnerability

Tools

The Internet Systems Consortium (ISC) announced on Tuesday the release of BIND 9.10.2-P3 and BIND 9.9.7-P2. The updates for the popular Domain Name System (DNS) software address a critical denial-of-service (DoS) vulnerability that affects almost all BIND servers.

The remotely exploitable vulnerability (CVE-2015-5477) involves an error in the handling of TKEY record queries. An attacker can use a specially crafted DNS request packet to trigger a REQUIRE assertion failure and cause BIND to exit.

The security bug reported by Jonathan Foote affects BIND 9.1.0 through 9.8.x, BIND 9.9.0 through 9.9.7-P1, and BIND 9.10.0 through 9.10.2-P2. The vulnerability affects both recursive and authoritative servers, and it cannot be mitigated by access control lists (ACLs) or configuration options because the vulnerable code is triggered early in the handling of the packet.

The vulnerability has been rated “critical” because it affects almost all BIND servers, not just ones that have been configured in a certain manner. Furthermore. there are no workarounds for this problem.

“The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer,” explained Michael McNally of the ISC. “I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind.”

Users are advised to install BIND 9.10.2-P3 or BIND 9.9.7-P2 as soon as possible. Amazon,Red Hat and others have already taken steps to protect their customers against potential attacks.

ISC has announced that BIND 9.9 (Extended Support Version) will be supported until June 2017. The end of life for BIND 9.10 has not been determined yet but support will not end before BIND 9.12.0 has been released for 6 months.

Sidebar

About The CISSP Certification

Certified Ethical Hacker Certification

Certified in Risk and Information Systems Control

Certified Information Security Manager Certification

Certified Information Systems Auditor Certification

CISSP Certification FAQs

Computer Hacking Forensic Investigator Certification

Free CISSP Practice exams

ISACA Code of Professional Ethics

Dual Ransomware Variants Impacting the Same Victims and Data Destruction Trends

Amplifying Automation with AI & Strong Security Measures

CommonSpirit Health cyberattack, month-long network outage cost $150M

‘Jackpot’: Hacker Snags TSA No-Fly List

Samsung Galaxy Store Flaws Can Lead to Unwanted App Installations, Code Execution

APT Hackers Turn to Malicious Excel Add-ins as Initial Intrusion Vector

BitKeep Confirms Cyber Attack, Loses Over $9 Million in Digital Currencies

FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked

Report: Air-Gapped Networks Vulnerable to DNS Attacks

BIND Update Patches Critical DoS Vulnerability

Tools

More

Certifications

Latest News

Tools

Share This

More

Follow us