BIND DNS software vulnerability which could lead to DoS attacks exposed

The bug impacts multiple versions of the open-source software.

The Internet Systems Consortium (ISC) has warned that a severe vulnerability could be exploited to launch denial-of-service (DoS) attacks in the open-source BIND software.

ISC's Berkeley Internet Name Domain (BIND) software is an open-source Domain Name System (DNS) solution used worldwide for the online publishing of DNS data and DNS query resolution.

TechRepublic: DDoS attacks increased 91% in 2017 thanks to IoT

The software, which originated from the University of California at Berkeley in the 1980s, claims to be the most widely used DNS software on the Internet.

However, this popularity may have created fertile ground for threat actors due to a vulnerability which impacts multiple versions of the software.

On Wednesday, ISC released a security advisory warning of the existence of CVE-2018-5740, a bug in the "deny-answer-aliases" feature in BIND.

See also: It's time to patch BIND before your DNS servers lock up

The feature, which ISC says is "rarely used," contains a vulnerability which "can cause named to exit with an INSIST assertion failure."

"Deny-answer-aliases" is a feature intended to help recursive server operators protect end users against DNS rebinding attacks. However, when the feature is in use, a defect in the system -- triggered either by accident or remotely -- will cause an INSIST assertion failure.

In turn, this would cause the named process to crash and create a denial-of-service situation.

"Only servers which have explicitly enabled the "deny-answer-aliases" feature are at risk and disabling the feature prevents exploitation," ISC says.

Versions 9.7.0 -- 9.8.8, 9.9.0 -- 9.9.13, 9.10.0 -- 9.10.8, 9.11.0 -- 9.11.4, 9.12.0 -- 9.12.2, and 9.13.0 -- 9.13.2 are all impacted.

CNET: Ajit Pai blames Obama administration over FCC DDoS attack that didn't happen

If exploited, the vulnerability can be used to compromise BIND and remotely launch DoS attacks. However, as the feature has to be explicitly enabled, the danger only lies in systems in which "deny-answer-aliases" is active.

There have been no reports of this exploit being used in the wild.

Administrators should either upgrade to the latest, patched version of BIND which resolves the issue or alternatively disable the feature, to protect themselves against attack.

Security researcher Tony Finch of the University of Cambridge was credited with discovering the vulnerability.

Previous and related coverage