BIND Flaw Exposes DNS Servers to Denial-of-Service Attacks
A recent flaw in the BIND open-source software used for DNS servers allows denial-of-service attacks on both authoritative and recursive DNS servers, by constructing a flawed UDP packet that exploits an error in the handling of queries for TKEY records.
Dubbed as critical by the CVE-2015-5477 advisory, affected BIND servers include versions 9.1.0 up to 9.8.x, 9.9.0 up to 9.9.7-P1, and 9.10.0 up to 9.10.2-P2.
“An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit,”Â reads the advisory. “Both recursive and authoritative servers are vulnerable to this defect. Additionally, exposure is not prevented by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling, before checks enforcing those boundaries.”
Because DNS servers are a fundamental part of the internet infrastructure – converting domain names into numeric IP addresses – system administrators should plug the vulnerability by installing the latest BIND patch released by ISC.
“Almost all unpatched BIND servers are potentially vulnerable. We know of no configuration workarounds,”Â said ISC engineer Michael McNally. “Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then.”
The vulnerability hasreportedly been weaponized as part of a proof-of-concept, although no in-the-wild reports have been confirmed. Because patching is said to completely protect against the vulnerability, McNally believes it’s only a matter of time before real-world attacks occur.
“The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer,”wrote McNally. “I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind.”
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US
July 16, 2021
How to protect yourself against cyberstalking
July 06, 2021
The Top Five Security Risks Smartphone Users Face Today
July 02, 2021
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials
July 02, 2021
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger
June 30, 2021
FOLLOW US ON
You might also like
August 02, 2021
July 30, 2021