ISC Releases Security Updates for BIND (September 2015)

Last week the Internet Systems Consortium (ISC) released security updates to resolve 2 critical denial of service (defined) CVEs (defined) in its BIND DNS server software.

The first vulnerability is caused by incorrect boundary checking within the OpenPGP key module of the server. Such boundary checks are usually carried out to prevent buffer overflow attacks (defined). If an attacker can supply a specifically crafted response to a query from the server; such a response would cause a REQUIRE assertion failure which in turn causes BIND to exit. Assert functions are generally used in software code to trigger a program to halt when certain conditions occur.

According to ISC, this issue has no workarounds or known mitigations. The only solution is to install the updates to BIND as mentioned in this security advisory.

The final security update resolves an issue that is almost identical to the issue discussed in a previous blog post. As before if an attacker can send a malformed DNSSEC key by sending a query to the BIND server that requires the server to obtain a response from a DNS zone (the area in which a DNS server has authority for, defined here) containing this malformed key. In a similar manner to the first flaw (discussed above) attempting to parse (analyze data in a structured manner in order to create meaning from it) this malformed key will cause the server to halt due to an assertion and thus will not be able to carry out its role as a DNS server. While a workaround is available, it has a drawback and therefore it’s recommended to install the applicable security update rather than use this workaround.

Why Are These Issues Considered Critical?
As was previously seen with the last set of updates for BIND, these security issues when exploited can result in the BIND software being unavailable for use. For any device that uses your server for DNS services, those devices will no longer be able to access websites, other intranet resources or use email.

How Can I Protect Myself From These Issues?
If you use BIND (it is included with some Linux distributions e.g. Ubuntu, Redhat etc.) to provide any DNS services within your company or you know anybody who may be affected by these issues, please follow the advice in ISC’s security advisories to install the necessary updates to resolve these issues:

CVE-2015-5722: Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c
CVE-2015-5986: An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.