New DNS vulnerability has organizations scrambling

Federal agencies are among those working to update, patch BIND DNS servers

Organizations using the BIND 9 DNS server are being urged to update and patch their servers to correct a zero-day vulnerability that can allow remote attackers to execute denial-of-service attacks against them.

The Internet Systems Consortium, which maintains BIND, a widely used open-source DNS server, announced last week that an exploit already is in wide circulation for the vulnerability, which can cause servers running BIND 9 to crash.

The Dynamic Update Denial of Service vulnerability was announced last week and ISC has released updates of affected versions of the server. Vendors of commercial products based on the software also are releasing patches for the vulnerability.

Patching is crucial, ISC said in announcing the vulnerability. “Access controls will not provide an effective workaround.”

The Domain Name System is a protocol for associating domain names such as gcn.com with the numerical IP addresses that are used to direct Internet traffic. DNS underlies almost all Internet activity. BIND — originally the Berkeley Internet Name Domain — is a widely used open-source DNS software that probably is being used on more than half of the world’s public DNS servers.

According to ISC, when most versions of BIND 9 — the current release of the software — are configured as a master server, the receipt of a specially crafted dynamic update message can cause the server to crash. “Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master,” the alert says. “Launching the attack against slave zones does not trigger the assert” that causes the crash. “This vulnerability affects all servers that are masters for one or more zones — it is not limited to those that are configured to allow dynamic updates.”

ISC has rated this vulnerability at high severity, largely because of the existence of a zero-day exploit. The National Institute of Standards and Technology’s National Vulnerability Database rates it at medium severity, with a low rating for its impact but a high rating for its exploitability.

The vulnerability comes about a year after the announcement of a vulnerability in the DNS protocols, discovered by researcher Dan Kaminsky, director of penetration testing at IOActive. The vulnerability could enable poisoning of DNS records and allow the malicious redirection of traffic. Because the vulnerability was in the protocol itself and not a specific product, it was seen as a serious threat and Kaminsky worked with the industry for months in advance of the vulnerability’s announcement to develop a quick fix for it. That vulnerability has helped to spur implementation of the DNS Security Extensions (DNSSEC) within the Domain Name System as a more permanent fix.

At least one industry observer sees the BIND Dynamic Update DOS vulnerability as more serious than Kaminsky’s vulnerability.

“It’s a lot simpler to run and execute,” said Branko Miskov, director of product management for BlueCat Networks, an IP address management company. “Pretty much any BIND 9 server can be brought down with this scrip. Our development team was quite surprised at how simple this was.”

He said one serious threat would be the implementation of the exploit in a worm, which could provide a persistent mechanism for repeated attacks against a server, bringing its operation to a halt.

Miskov said BlueCat was one of the first commercial product vendors to produce a patch for the vulnerability, and that the company has seen a “huge uptake” by customers of the patches. He said federal agencies are among those adopting the patches.

“We typically find that federal customers are savvy about this kind of thing,” he said. “They usually have a well-defined system in place” for installing patches.

ISC recommends that users upgrade BIND to patched versions of the software. These versions can be downloaded from:

ISC began work on BIND 9 in 1998 and it now is the most widely used version of the software. It has begun development of the next generation of the software, BIND 10.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Wed, Aug 5, 2009 Jeffrey A. williams Frisco Texas

We found this error in Bind 9 some time ago and reported it to ISC and were ignored. Seems that Paul Vixie should have been a bit more proactive here. But at least finnaly "After the fact, long after" ISC got a fix out. Regards, CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng. INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@ix.netcom.com
My Phone: 214-244-4827

Wed, Aug 5, 2009 Lisa Hagemann Dyn Inc.; Manchester, NH

We at Dyn Inc. found that the real vulnerability is to master servers, not specifically all authoritative servers. An authoritative slave is not vulnerable, unless it is also a master for another zone. This could be why many providers are not patching. They do not see themselves as vulnerable. But, being a master for a single zone makes you vulnerable if the exploit is run against that zone.

This vulnerability is very easy to exploit, with the exploit code running wild for over a week now.

The CERT vulnerability note (VU#725188) still shows a large number of vendors with an unknown status. Have they patched, and just not notified US-CERT?

At Dyn Inc. we were patched the very evening the vulnerability was announced. You can read about our experience, and how we helped ISC to clarify the extent of the vulnerability in the blog we posted on July 29: http://dynamicnetworkservices.com/journal/BINDVulnerabilityPatch

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above