Feeds

Bind DNS resolver purged of critical DoS bug

Query domain, server goes boom

Business security measures using SSL

Makers of the internet's most widely used domain name resolution software have patched a vulnerability that allowed attackers to crash many systems that run the program.

By querying a domain with large resource record sets (or RRsets) and trying to negatively cache a response, attackers can cause the Bind server to crash. The denial-of-service vulnerability threatens systems that use various versions of Bind 9 as a caching resolver. DNS systems use negative caching to improve resolution response time by preventing servers from looking up non-existent domains over and over.

“In this vulnerability, very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named (Bind 9 DNS) due to an off-by-one error in a buffer size check,” read an advisory published by the Internet Systems Consortium, the group that maintains Bind.

The advisory continued:

The nature of this vulnerability would allow remote exploit. An attacker can set up a DNSSEC signed authoritative DNS server with large RRSIG RRsets to act as the trigger. The attacker would then find ways to query an organization’s caching resolvers for non-existent names in the domain served by the bad server, getting a response that would “trigger” the vulnerability. The attacker would require access to an organization’s caching resolvers; access to the resolvers can be direct (open resolvers), through malware (using a BOTNET to query negative caches), or through driving DNS resolution (a SPAM run that has a domain in the E-mail that will cause the client to perform a lookup).

The advisory urges users to upgrade to Bind 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1, or 9.8.0-P2, which are available here.

As a partial workaround, users can restrict the DNS caching resolver system.

“Active exploitation can be accomplished through malware or Spam/Malvertizing actions that will force authorized clients to look up domains that would trigger this vulnerability,” the advisory warns. ®

Business security measures using SSL

More from The Register

next story
Brit telcos warn Scots that voting Yes could lead to HEFTY bills
BT and Co: Independence vote likely to mean 'increased costs'
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
ISPs' post-net-neutrality world is built on 'bribes' says Tim Berners-Lee
Father of the worldwide web is extremely peeved over pay-per-packet-type plans
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Turnbull: NBN won't turn your town into Silicon Valley
'People have been brainwashed to believe that their world will be changed forever if they get FTTP'
Google+ GOING, GOING ... ? Newbie Gmailers no longer forced into mandatory ID slurp
Mountain View distances itself from lame 'network thingy'
Blockbuster book lays out the first 20 years of the Smartphone Wars
Symbian's David Wood bares all. Not for the faint hearted
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.