ISC Releases Security Updates for BIND (January 2016)

On the 19th of January Internet Systems Consortium (ISC) released 2 security updates to address critical and medium severity denial of service issues (defined) within their BIND DNS software.

Why Should These Issues Be Considered Important?
This critical severity remotely exploitable vulnerability is caused by a buffer overflow (defined) within a guard feature intended to prevent such an overflow. If an overflow occurred, it could cause BIND to exit. Examples of possible ways (not an exhaustive list) for this vulnerability to be exploited are provided by ISC within their first security advisory for these issues. For the remaining medium severity remotely exploitable issue an error in how BIND interprets specifically formatted text could cause an assertion (defined) again resulting in the possible exiting of BIND.

These issues affect a large number of versions (listed below) of BIND making them ever more important to address:

=======================
Critical Severity Issue: 9.3.0->9.8.8, 9.9.0->9.9.8-P2, 9.9.3-S1->9.9.8-S3, 9.10.0->9.10.3-P2
Medium Severity Issue: 9.10.0->9.10.3-P2
=======================

In addition, as mentioned by ISC, versions 9.3 to 9.8 of BIND are considered end of life and will not be receiving updates to address the critical issue. Currently supported versions of BIND are listed here.

Moreover, according to ISC, the critical issue has no workarounds or known mitigations. The medium severity issue can be mitigated by disabling debug logging (but only as a temporary measure until the appropriate update can be applied).

How Can I Protect Myself from These Issues?
If you use BIND (it is included with Linux distributions e.g. Redhat, Ubuntu etc.) to provide any DNS services within your company/organization or you know anybody who may be affected by these issues, please follow the advice within ISC’s security advisories to install the necessary updates to resolve these issues:

CVE-2015-8704: Specific APL data could trigger an INSIST in apl_42.c
CVE-2015-8705: Problems converting OPT resource records and ECS options to text format can cause BIND to terminate.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s