A flaw in the widely used BIND DNS (Domain Name System) software can be exploited by remote attackers to crash DNS servers and affect the operation of other programs running on the same machines. BIND versions 9.7.x, 9.8.0 up to 9.8.5b1 and 9.9.0 up to 9.9.3b1 for UNIX-like systems are vulnerable, according to a security advisory published Tuesday by the Internet Systems Consortium (ISC), a nonprofit corporation that develops and maintains the software.
The vulnerability can be exploited by sending specifically crafted requests to vulnerable installations of BIND that would cause the DNS server process—the name daemon, known as “named”—to consume excessive memory resources.
“However, at the time of this advisory, BIND 10 is not ‘feature complete,’ and depending on your deployment needs, may not be a suitable replacement for BIND 9.”
“It took me approximately ten minutes of work to go from reading the ISC advisory for the first time to developing a working exploit,” a user named Daniel Franke said in a message sent to the Full Disclosure security mailing list on Wednesday. Franke is not the only one possible, and that operators of *ANY* recursive *OR* authoritative nameservers running an unpatched installation of an affected version of BIND should consider themselves vulnerable to this security issue,” Wright said. … Franke’s comment, which is that the required complexity of the exploit for this vulnerability is not high, and immediate action is recommended to ensure your nameservers are not at risk.”
This bug could be a serious threat considering the widespread use of BIND 9, according to Dan Holden, director of the security engineering and response team at DDoS mitigation vendor Arbor Networks.
…Several security companies said earlier this week that a recent distributed denial-of-service (DDoS) attack targeting an anti-spam organization was the largest in history and affected critical Internet infrastructure.
“If operators are relying on inline detection and mitigation, very few security research organizations are proactive about developing their own proof-of-concept code on which to base a mitigation upon,” Holden said.
Link: http://www.computerworld.com/s/article/print/9238002/Critical_denial_of_service_flaw_in_BIND_software_puts_DNS_servers_at_risk?taxonomyName=Malware+and+Vulnerabilities&taxonomyId=85