Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: BIND 9 Update - DoS or information disclosure vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
BIND 9 Update - DoS or information disclosure vulnerability

The Internet Systems Consortium released a security advisory on Monday about a possible denial of service attack against BIND named DNS servers (which constitute the majority of name servers on the internet).  The advisory states that the primary threat is against recursive name servers (the ones clients workstations/laptops/mobile devices point to to translate DNS names into IP addresses), though authoritative primary and secondary name servers could also be at risk if configured with experimental record types.  While they were not aware, at the time, of any active exploitation of the vulnerability, the details had been discussed in public mailing lists.  The vulnerability involves improper handling of certain requests with zero-length RDATA fields.  From the description, it doesn't appear that the crafting of a packet that would trigger the vulnerability would be too difficult.  The result would be either crashing the named daemon or disclosure of some unrelated contents of memory.  Updates should be applied, especially to your recursive name servers, as soon as practical.

References:

http://www.isc.org/software/bind/advisories/cve-2012-1667

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1667

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Jim

402 Posts
ISC Handler
I found that a few name servers I manage had no records for BING.COM in them. All other domains resolved without issue. I wonder if Microsoft was once again hit, perhaps using this vulnerability. Hmmm, no doubt others will follow if that is the case. Shields up :-)
Anonymous

Sign Up for Free or Log In to start participating in the conversation!