Tag Archives: BIND

ISC Releases Security Updates for BIND (March 2016)

Last week the Internet Systems Consortium (ISC) released 3 security updates to address 3 high severity denial of service issues (defined) found within their BIND DNS software.

Separately ISC has released a security advisory for ISC DHCP concerning a denial of service issue that has not yet been resolved using a patch/update. Workarounds for this issue are available within that advisory. I will update this post when these updates become available. This issue affects the following versions of ISC DHCP: 4.1.0->4.1-ESV-R12-P1, 4.2.0->4.2.8, 4.3.0->4.3.3-P1

=======================
Update 25th June 2016
=======================
At this time as I mentioned below in my previous update; the updates to address the issue mentioned above within ISC DHCP have not yet been released. I will continue to monitor the security advisory until these updates are made available.

Thank you.
=======================
Update 26th April 2016
=======================
At this time, the updates to address the issue mentioned above within ISC DHCP have not yet been released. I will continue to monitor the security advisory until these updates are made available.

Thank you.

Why Should These Issues Be Considered Important?
These issues affect a large number of versions (listed below) of BIND making these issues ever more important to address as soon as possible:

=======================
Advisory 1: 9.10.0 -> 9.10.3-P3
Advisory 2: 9.2.0 -> 9.8.8, 9.9.0->9.9.8-P3, 9.9.3-S1->9.9.8-S5, 9.10.0->9.10.3-P3
Advisory 3: 9.0.0 -> 9.8.8, 9.9.0 -> 9.9.8-P3, 9.9.3-S1 -> 9.9.8-S5, 9.10.0 -> 9.10.3-P3
=======================

The first security issue involves an error in the implementation for preliminary support for DNS cookies. If an attacker sends a malformed packet containing multiple cookie options, the named control channel will exit with an INSIST assertion (defined) meaning that the DNS server is no longer available to process user requests (a denial of service).

If you cannot deploy the patch for this issue immediately, a workaround is provided by ISC within this security advisory which you can use until the patch is installed.

The second security issue involves the incorrect parsing (analyzing data in a structured manner in order to create meaning from it) of a malformed packet deliberately sent to the server by a remote attacker. This description from ISC seems a little misleading since you cannot correctly parse an incorrectly formed packet, what I expect they mean is that an unexpected/inappropriate action is taken by the named control channel when it encounters a malformed packet which results in a security issue. In this instance an assertion failure results in the named control channel exiting as before resulting in a a denial of service.

If you cannot deploy the patch for this issue immediately, a workaround is provided by ISC within this security advisory which you can use until the patch is installed.

The third and final security issues addressed by the issued security updates involves an error in the parsing of DNAME (defined here and here) DNS records. Once again this results in an assertion causing an exit and a resulting denial of service issue. No workaround is available for this issue.

How Can I Protect Myself from These Issues?
If you use BIND (it is included with Linux distributions e.g. Redhat, Ubuntu etc.) to provide any DNS services within your company/organization or you know anybody who may be affected by these issues, please follow the advice within ISC’s security advisories to install the necessary updates to resolve these issues as soon as possible:

CVE-2016-2088: A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure
CVE-2016-1285: An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c
CVE-2016-1286: A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c

Thank you.

ISC Releases Security Updates for BIND (January 2016)

On the 19th of January Internet Systems Consortium (ISC) released 2 security updates to address critical and medium severity denial of service issues (defined) within their BIND DNS software.

Why Should These Issues Be Considered Important?
This critical severity remotely exploitable vulnerability is caused by a buffer overflow (defined) within a guard feature intended to prevent such an overflow. If an overflow occurred, it could cause BIND to exit. Examples of possible ways (not an exhaustive list) for this vulnerability to be exploited are provided by ISC within their first security advisory for these issues. For the remaining medium severity remotely exploitable issue an error in how BIND interprets specifically formatted text could cause an assertion (defined) again resulting in the possible exiting of BIND.

These issues affect a large number of versions (listed below) of BIND making them ever more important to address:

=======================
Critical Severity Issue: 9.3.0->9.8.8, 9.9.0->9.9.8-P2, 9.9.3-S1->9.9.8-S3, 9.10.0->9.10.3-P2
Medium Severity Issue: 9.10.0->9.10.3-P2
=======================

In addition, as mentioned by ISC, versions 9.3 to 9.8 of BIND are considered end of life and will not be receiving updates to address the critical issue. Currently supported versions of BIND are listed here.

Moreover, according to ISC, the critical issue has no workarounds or known mitigations. The medium severity issue can be mitigated by disabling debug logging (but only as a temporary measure until the appropriate update can be applied).

How Can I Protect Myself from These Issues?
If you use BIND (it is included with Linux distributions e.g. Redhat, Ubuntu etc.) to provide any DNS services within your company/organization or you know anybody who may be affected by these issues, please follow the advice within ISC’s security advisories to install the necessary updates to resolve these issues:

CVE-2015-8704: Specific APL data could trigger an INSIST in apl_42.c
CVE-2015-8705: Problems converting OPT resource records and ECS options to text format can cause BIND to terminate.

Thank you.

ISC Releases Security Updates for BIND (December 2015)

Earlier this month the Internet Systems Consortium (ISC) released a security update to address a critical denial of service issue (defined) within their BIND DNS software.

This vulnerability is caused by an error in the parsing (analyzing data in a structured manner in order to create meaning from it) of incoming responses allowing records within those responses to have incorrect classes causing them to be accepted rather than rejected. If the parsing was carried out correctly the incorrect class would be detected. A single specifically crafted packet sent to BIND will cause it to trigger a REQUIRE assertion failure which will cause BIND to exit.

Why Is This Issue Considered Critical?
A single specifically crafted response sent to BIND will cause it to trigger a REQUIRE assertion failure when the records within that response are later cached. An attacker could exploit this issue to cause BIND to exit resulting in a denial of service for the legitimate clients of the BIND server. Recursive DNS (defined) BIND servers are at high risk to this issue.

This issue affects a large number of versions (listed below) of BIND making this issue ever more important to address:
9.0.x -> 9.9.8
9.10.0 -> 9.10.3

Moreover, according to ISC, this issue has no workarounds or known mitigations. The only solution is to install the updates to BIND as mentioned in this security advisory.

How Can I Protect Myself From This Issue?
If you use BIND (it is included with Linux distributions e.g. Redhat, Ubuntu etc.) to provide any DNS services within your company/organization or you know anybody who may be affected by this issue, please follow the advice within ISC’s security advisory to install the necessary update to resolve this issue:

CVE-2015-8000: Responses with a malformed class attribute can trigger an assertion failure in db.c

Thank you.

ISC Releases Security Updates for BIND (September 2015)

Last week the Internet Systems Consortium (ISC) released security updates to resolve 2 critical denial of service (defined) CVEs (defined) in its BIND DNS server software.

The first vulnerability is caused by incorrect boundary checking within the OpenPGP key module of the server. Such boundary checks are usually carried out to prevent buffer overflow attacks (defined). If an attacker can supply a specifically crafted response to a query from the server; such a response would cause a REQUIRE assertion failure which in turn causes BIND to exit. Assert functions are generally used in software code to trigger a program to halt when certain conditions occur.

According to ISC, this issue has no workarounds or known mitigations. The only solution is to install the updates to BIND as mentioned in this security advisory.

The final security update resolves an issue that is almost identical to the issue discussed in a previous blog post. As before if an attacker can send a malformed DNSSEC key by sending a query to the BIND server that requires the server to obtain a response from a DNS zone (the area in which a DNS server has authority for, defined here) containing this malformed key. In a similar manner to the first flaw (discussed above) attempting to parse (analyze data in a structured manner in order to create meaning from it) this malformed key will cause the server to halt due to an assertion and thus will not be able to carry out its role as a DNS server. While a workaround is available, it has a drawback and therefore it’s recommended to install the applicable security update rather than use this workaround.

Why Are These Issues Considered Critical?
As was previously seen with the last set of updates for BIND, these security issues when exploited can result in the BIND software being unavailable for use. For any device that uses your server for DNS services, those devices will no longer be able to access websites, other intranet resources or use email.

How Can I Protect Myself From These Issues?
If you use BIND (it is included with some Linux distributions e.g. Ubuntu, Redhat etc.) to provide any DNS services within your company or you know anybody who may be affected by these issues, please follow the advice in ISC’s security advisories to install the necessary updates to resolve these issues:

CVE-2015-5722: Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c
CVE-2015-5986: An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c

Thank you.

ISC Releases Critical Security Updates for BIND

In late July the Internet Systems Consortium (ISC) released security updates to resolve critical denial of service (denial of service, defined) CVEs (CVE, defined) that exist in their BIND DNS software.

The first flaw is due to an error in handling TKEY queries (transaction key: the data structure that holds information in a standardized format for exchange between DNS servers). A single specifically crafted packet sent to BIND will cause it to trigger a REQUIRE assertion failure which will cause BIND to exit. Assert functions are generally used in software code to trigger a program to halt when certain conditions occur.

According to ISC, this issue has no workarounds or known mitigations. The only solution is to install the updates to BIND as mentioned in this security advisory.

The remaining flaw patched by ISC is due to an error in how BIND parses (analyses data in a structured manner in order to create meaning from it) data when performing DNSSEC validation for data contained within a specifically crafted DNS zone (the area in which a DNS server has authority for (see also “Aside” below)). This will result in the BIND software exiting resulting in a denial of service condition (denial of service, defined). While this issue has workarounds, they are not recommended actions since they have drawbacks, instead installing the updates mentioned in this security advisory is the recommended resolution.

Why Are These Issues Considered Critical?
These issues were assigned such a severe criticality rating due to their impact on the DNS name resolution software, namely that the software stops functioning. In addition, these issues are considered easy to exploit. For any device that uses your server for DNS services, those devices will no longer be able to access websites, other intranet resources or use email. If this issue is exploited on a wider scale, large parts of the internet would no longer be able to function correctly until those DNS servers were returned to service.

In addition, according to two separate sources exploits for this issue are already being seen in the wild. The availability of some popular websites has been affected. Since your website can be a large contributor to your revenue it is in your interest to address this issue.

How Can I Protect Myself From These Issues?
If you use BIND (it is included with Linux distributions e.g. Ubuntu, Redhat etc.) to provide any DNS services within your company or you know anybody who may be affected by this issue, please follow the advice in ISC’s security advisories to install the necessary updates to resolve these issues:

CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure

CVE-2015-4620: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating

Thank you.

=======================
Aside:
What is a DNS zone?

A companies domain e.g. example.com can be split for organizational/administrative reasons into departments e.g. accounting.example.com , admin.example.com etc. Each of these divisions/splits is then referred to as a subdomain zone within the root domain (example.com). Depending on the size of an organization, for performance reasons multiple DNS servers may be assigned to provide DNS services for specific subdomains e.g. DNS server 1 provides DNS for Accounting and Admin while DNS server 2 is responsible for Production and Support.

Thus each server is responsible for different zones. These servers are authoritative for those zones (since those servers contain the hostname (the name of a device within a domain or subdomain) to IP address translation. This is similar to a person looking up a person’s name in a phone book to find their telephone number, DNS provides this service to enable computers to communicate with one another.

For an example of how DNS is used when web browsing, see the section titled “Why Does An Attacker Want To Change My Router’s DNS Settings” within a previous blog post.
=======================

=======================
Aside 2:
What is DNSSEC?

This is set of extensions to the original DNS standard that provides extra security such as origin authentication (where the DNS translation data came from). This is to prevent spoofing (where an invalid hostname to IP address translation is provided by another DNS server (potentially controlled by an attacker)) and DNS cache poisoning (where spoofed values are stored alongside legitimate values within a DNS server, such values will be provided to DNS queries taking devices to unexpected locations).

DNSSEC uses a Public Key Infrastructure (PKI) as well as digital signatures to allow the verification of authenticity of the DNS data received. The PKI allows the management of encryption keys and digital certificates (used in digital signatures) to maintain a trusted environment. The digital signatures are a means of verifying that the DNS information received has not been altered and has come from a known and trusted source. The digital certificates included with the signatures are issued/vouched for by certification authorities (CA, defined) e.g. Thawte, DigiCert and VeriSign etc.

A summary of the security benefits of DNSSEC is provided here and here while background information on DNSSEC deployment is provided here.
=======================