ISC Releases Security Updates for BIND (December 2015)

Earlier this month the Internet Systems Consortium (ISC) released a security update to address a critical denial of service issue (defined) within their BIND DNS software.

This vulnerability is caused by an error in the parsing (analyzing data in a structured manner in order to create meaning from it) of incoming responses allowing records within those responses to have incorrect classes causing them to be accepted rather than rejected. If the parsing was carried out correctly the incorrect class would be detected. A single specifically crafted packet sent to BIND will cause it to trigger a REQUIRE assertion failure which will cause BIND to exit.

Why Is This Issue Considered Critical?
A single specifically crafted response sent to BIND will cause it to trigger a REQUIRE assertion failure when the records within that response are later cached. An attacker could exploit this issue to cause BIND to exit resulting in a denial of service for the legitimate clients of the BIND server. Recursive DNS (defined) BIND servers are at high risk to this issue.

This issue affects a large number of versions (listed below) of BIND making this issue ever more important to address:
9.0.x -> 9.9.8
9.10.0 -> 9.10.3

Moreover, according to ISC, this issue has no workarounds or known mitigations. The only solution is to install the updates to BIND as mentioned in this security advisory.

How Can I Protect Myself From This Issue?
If you use BIND (it is included with Linux distributions e.g. Redhat, Ubuntu etc.) to provide any DNS services within your company/organization or you know anybody who may be affected by this issue, please follow the advice within ISC’s security advisory to install the necessary update to resolve this issue:

CVE-2015-8000: Responses with a malformed class attribute can trigger an assertion failure in db.c

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.