Remote denial of service vulnerability exposes BIND servers

The vulnerability affects every DNS server online which uses the popular BIND protocol software.


BIND operators released new versions of the DNS protocol software overnight to patch a critical vulnerability which can be exploited for use in denial-of-service cyberattacks.

Lead investigator Michael McNally from the Internet Systems Consortium (ISC) said in a security advisory the bug, CVE-2015-5477, is a critical issue which can allow hijackers to send malicious packets to knock out email systems, websites and other online services.

Titled "An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure," is a security flaw which impacts on BIND, the most commonly-used open-source software which implements DNS protocols for the web.

Standing for 'Berkeley Internet Name Domain,' the software originated in the early 1980s and while previously considered a stable way for computing systems to comply with DNS standards, is now the topic of a bug which can only be resolved through patching.

The advisory says the bug, awarded a CVSS score of 7.8, could impact on large swathes of the internet and is caused by "an error in the handling of [transaction key records] TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit."

The notice says:

"Both recursive and authoritative servers are vulnerable to this defect. Additionally, exposure is not prevented by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling, before checks enforcing those boundaries."

BIND 9 from BIND 9.1.0 through BIND 9.9.7-P1 and BIND 9.10.2-P2 are all vulnerable to the exploit.

According to McNally, the ISC knows of no configuration workarounds to protect against exploitation -- the only way to prevent problems is to patch vulnerable BIND servers. Screening offensive packets with firewalls is "likely to be difficult or impossible," McNally says, as devices may not understand DNS at the protocol level, and "may be problematic even then."

Read this

10 steps to erase your digital footprint

How do you vanish online? Follow these 10 steps to get started.

Read More

The researcher expects an onslaught of attacks against unpatched BIND servers to occur soon, commenting:

"The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer.

I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind."

It is recommended that DNS operators upgrade to BIND 9 version 9.9.7-P2 or BIND 9 version 9.10.2-P3 immediately.

Read on: Top picks

In pictures:

Show Comments