ISC Releases Security Updates for BIND (March 2016)

Last week the Internet Systems Consortium (ISC) released 3 security updates to address 3 high severity denial of service issues (defined) found within their BIND DNS software.

Separately ISC has released a security advisory for ISC DHCP concerning a denial of service issue that has not yet been resolved using a patch/update. Workarounds for this issue are available within that advisory. I will update this post when these updates become available. This issue affects the following versions of ISC DHCP: 4.1.0->4.1-ESV-R12-P1, 4.2.0->4.2.8, 4.3.0->4.3.3-P1

=======================
Update 25th June 2016
=======================
At this time as I mentioned below in my previous update; the updates to address the issue mentioned above within ISC DHCP have not yet been released. I will continue to monitor the security advisory until these updates are made available.

Thank you.
=======================
Update 26th April 2016
=======================
At this time, the updates to address the issue mentioned above within ISC DHCP have not yet been released. I will continue to monitor the security advisory until these updates are made available.

Thank you.

Why Should These Issues Be Considered Important?
These issues affect a large number of versions (listed below) of BIND making these issues ever more important to address as soon as possible:

=======================
Advisory 1: 9.10.0 -> 9.10.3-P3
Advisory 2: 9.2.0 -> 9.8.8, 9.9.0->9.9.8-P3, 9.9.3-S1->9.9.8-S5, 9.10.0->9.10.3-P3
Advisory 3: 9.0.0 -> 9.8.8, 9.9.0 -> 9.9.8-P3, 9.9.3-S1 -> 9.9.8-S5, 9.10.0 -> 9.10.3-P3
=======================

The first security issue involves an error in the implementation for preliminary support for DNS cookies. If an attacker sends a malformed packet containing multiple cookie options, the named control channel will exit with an INSIST assertion (defined) meaning that the DNS server is no longer available to process user requests (a denial of service).

If you cannot deploy the patch for this issue immediately, a workaround is provided by ISC within this security advisory which you can use until the patch is installed.

The second security issue involves the incorrect parsing (analyzing data in a structured manner in order to create meaning from it) of a malformed packet deliberately sent to the server by a remote attacker. This description from ISC seems a little misleading since you cannot correctly parse an incorrectly formed packet, what I expect they mean is that an unexpected/inappropriate action is taken by the named control channel when it encounters a malformed packet which results in a security issue. In this instance an assertion failure results in the named control channel exiting as before resulting in a a denial of service.

If you cannot deploy the patch for this issue immediately, a workaround is provided by ISC within this security advisory which you can use until the patch is installed.

The third and final security issues addressed by the issued security updates involves an error in the parsing of DNAME (defined here and here) DNS records. Once again this results in an assertion causing an exit and a resulting denial of service issue. No workaround is available for this issue.

How Can I Protect Myself from These Issues?
If you use BIND (it is included with Linux distributions e.g. Redhat, Ubuntu etc.) to provide any DNS services within your company/organization or you know anybody who may be affected by these issues, please follow the advice within ISC’s security advisories to install the necessary updates to resolve these issues as soon as possible:

CVE-2016-2088: A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure
CVE-2016-1285: An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c
CVE-2016-1286: A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s