BIND comes apart thanks to ancient denial-of-service vuln

No active exploits, but crashes are happening in the wild

Back in 2000, a bug crept into the Internet Systems Corporation's BIND server, and it lay unnoticed until now.

The result: if you're running a vulnerable version of BIND and using DNSSEC, you need to patch the server against a denial-of-service vulnerability.

The venerable BIND is the world's most-used Domain Name System (DNS) software.

The vulnerability, disclosed on January 16th, is in the named (name daemon): “Improper sequencing during cleanup can lead to a use-after-free error, triggering an assertion failure and crash in named”, the advisory states.

The error is in the netaddr.c library in the daemon.

Disabling DNSSEC validation provides a workaround, but the advisory says all versions since BIND 9.0.0 (released in 2000) need to be patched.

The issue is most serious for “versions 9.9.9-P8 to 9.9.11, 9.10.4-P8 to 9.10.6, 9.11.0-P5 to 9.11.2, 9.9.9-S10 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, and 9.12.0a1 to 9.12.0rc1”.

“No known active exploits but crashes due to this bug have been reported by multiple parties”, the advisory continues.

Jayachandran Palanisamy of Cygate identified the bug. ®




Biting the hand that feeds IT © 1998–2018