2 min read

BIND Flaw Exposes DNS Servers to Denial-of-Service Attacks

Liviu ARSENE

August 03, 2015

BIND Flaw Exposes DNS Servers to Denial-of-Service Attacks

A recent flaw in the BIND open-source software used for DNS servers allows denial-of-service attacks on both authoritative and recursive DNS servers, by constructing a flawed UDP packet that exploits an error in the handling of queries for TKEY records.

Dubbed as critical by the CVE-2015-5477 advisory, affected BIND servers include versions 9.1.0 up to 9.8.x, 9.9.0 up to 9.9.7-P1, and 9.10.0 up to 9.10.2-P2.

“An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit,” reads the advisory. “Both recursive and authoritative servers are vulnerable to this defect. Additionally, exposure is not prevented by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling, before checks enforcing those boundaries.”

Because DNS servers are a fundamental part of the internet infrastructure – converting domain names into numeric IP addresses – system administrators should plug the vulnerability by installing the latest BIND patch released by ISC.

“Almost all unpatched BIND servers are potentially vulnerable. We know of no configuration workarounds,” said ISC engineer Michael McNally. “Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then.”

The vulnerability hasreportedly been weaponized as part of a proof-of-concept, although no in-the-wild reports have been confirmed. Because patching is said to completely protect against the vulnerability, McNally believes it’s only a matter of time before real-world attacks occur.

“The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer,”wrote McNally. “I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind.”

tags


Author



Right now

Top posts

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Supply Chain Attack Detected in PyPI Library Supply Chain Attack Detected in PyPI Library
Silviu STAHIE

August 02, 2021

1 min read
Scam baiter Jim Browning bamboozled by scammers into deleting his own YouTube channel Scam baiter Jim Browning bamboozled by scammers into deleting his own YouTube channel
Filip TRUȚĂ

August 02, 2021

3 min read
Instagram influencer Hushpuppi admits his part in scams that stole more than $24 million Instagram influencer Hushpuppi admits his part in scams that stole more than $24 million
Graham CLULEY

July 30, 2021

2 min read