Critical denial-of-service flaw in BIND software puts DNS servers at risk

The BIND software maintainers encourage server administrators to disable regular expression support or install patches as soon as possible

A flaw in the widely used BIND DNS (Domain Name System) software can be exploited by remote attackers to crash DNS servers and affect the operation of other programs running on the same machines.

The flaw stems from the way regular expressions are processed by the libdns library that's part of the BIND software distribution. BIND versions 9.7.x, 9.8.0 up to 9.8.5b1 and 9.9.0 up to 9.9.3b1 for UNIX-like systems are vulnerable, according to a security advisory published Tuesday by the Internet Systems Consortium (ISC), a nonprofit corporation that develops and maintains the software. The Windows versions of BIND are not affected.

BIND is by far the most widely used DNS server software on the Internet. It is the de facto standard DNS software for many UNIX-like systems, including Linux, Solaris, various BSD variants and Mac OS X.

The vulnerability can be exploited by sending specifically crafted requests to vulnerable installations of BIND that would cause the DNS server process -- the name daemon, known as "named" -- to consume excessive memory resources. This can result in the DNS server process crashing and the operation of other programs being severely affected.

"Intentional exploitation of this condition can cause denial of service in all authoritative and recursive nameservers running affected versions," the ISC said. The organization rates the vulnerability as critical.

One workaround suggested by the ISC is to compile BIND without support for regular expressions, which involves manually editing the "config.h" file using instructions provided in the advisory. The impact of doing this is explained in a separate ISC article that also answers other frequently asked questions about the vulnerability.

The organization also released BIND versions 9.8.4-P2 and 9.9.2-P2, which have regular expression support disabled by default. BIND 9.7.x is no longer supported and won't receive an update.

"BIND 10 is not affected by this vulnerability," the ISC said. "However, at the time of this advisory, BIND 10 is not 'feature complete,' and depending on your deployment needs, may not be a suitable replacement for BIND 9."

According to the ISC, there are no known active exploits at the moment. However, that might soon change.

"It took me approximately ten minutes of work to go from reading the ISC advisory for the first time to developing a working exploit," a user named Daniel Franke said in a message sent to the Full Disclosure security mailing list on Wednesday. "I didn't even have to write any code to do it, unless you count regexes [regular expressions] or BIND zone files as code. It probably will not be long before someone else takes the same steps and this bug starts getting exploited in the wild."

Franke noted that the bug affects BIND servers that "accept zone transfers from untrusted sources." However, that is just one possible exploitation scenario, said Jeff Wright, manager of quality assurance at the ISC, Thursday in a reply to Franke's message.

"ISC would like to point out that the vector identified by Mr. Franke is not the only one possible, and that operators of *ANY* recursive *OR* authoritative nameservers running an unpatched installation of an affected version of BIND should consider themselves vulnerable to this security issue," Wright said. "We wish, however, to express agreement with the main point of Mr. Franke's comment, which is that the required complexity of the exploit for this vulnerability is not high, and immediate action is recommended to ensure your nameservers are not at risk."

This bug could be a serious threat considering the widespread use of BIND 9, according to Dan Holden, director of the security engineering and response team at DDoS mitigation vendor Arbor Networks. Attackers might start targeting the flaw given the media attention surrounding DNS in the recent days and the low complexity of such an attack, he said Friday via email.

Several security companies said earlier this week that a recent distributed denial-of-service (DDoS) attack targeting an anti-spam organization was the largest in history and affected critical Internet infrastructure. The attackers made use of poorly configured DNS servers to amplify the attack.

"There is a fine line between targeting DNS servers and using them to perform attacks such as DNS amplification," Holden said. "Many network operators feel that their DNS infrastructure is fragile and often they go through additional measures to protect this infrastructure, some of which exacerbate some of these problems. One such example is deploying inline IPS devices in front of DNS infrastructure. Designing appropriate filters to mitigate these attacks with stateless inspection is near impossible."

"If operators are relying on inline detection and mitigation, very few security research organizations are proactive about developing their own proof-of-concept code on which to base a mitigation upon," Holden said. "Thus, these types of devices will very rarely get protection until we see semi-public working code. This gives attackers a window of opportunity that they may very well seize."

Also, historically DNS operators have been slow to patch and this may definitely come into play if we see movement with this vulnerability, Holden said.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesNetworkingsecurityInternet Systems Consortiumpatch managementExploits / vulnerabilities

More about Arbor NetworksArbor NetworksHolden- General MotorsIPSLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place