ISC Patches Denial-of-service Vulnerability Found In BIND 9

Thursday, April 25, 2024

Home

News

Reviews

Articles

Guides

Download

Expert Area

Forum

Site Info

Thursday, June 6, 2013

ISC Patches Denial-of-service Vulnerability Found In BIND 9

You are sending an email that contains the article
and a private message for your recipient(s).

Your Name:

Your e-mail:

* Required!

Recipient (e-mail):

Subject:

Introductory Message:

HTML/Text
(Photo: Yes/No)

(At the moment, only Text is allowed...)

Message Text:

The Internet Systems Consortium (ISC) has released a new versions of the BIND DNS (Domain Name System) software that contain a fix for a defect that could be used to remotely crash DNS servers.

ISC is the the organization that develops and maintains the BIND DNS (Domain Name System) software, the most widely used DNS server software and the standard DNS software on many Unix-like systems, including Linux, Solaris and Mac OS X.

The bug had been discovered in the most recent releases of BIND 9 and had the potential for deliberate exploitation as a denial-of-service attack. By sending a recursive resolver a query for a record in a specially malformed zone, an attacker can cause BIND 9 to exit with a fatal "RUNTIME_CHECK" error in resolver.

ISC says that no intentional exploitation of the bug has been observed in the wild. The existence of the issue has been disclosed on an open mailing list with enough accompanying detail to reverse engineer an attack and ISC is therefore treating this as a Type II (publicly disclosed) vulnerability.

The vulnerability Versions affected BIND 9.6-ESV-R9, 9.8.5, and 9.9.3.

ISC recommends to upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://ftp.isc.org/isc/bind9