ISC Patches Critical DoS Vulnerability in BIND

A critical, remotely exploitable bug in some BIND domain name system (DNS) servers could cause a denial of service situation and trigger them to crash.

The defect lies in the extension mechanisms for DNS (EDNS) specification, the Internet Systems Consortium, which performs upkeep on the system, acknowledged this week.

To exploit it, an attacker would have to create a specially crafted query, which would in turn cause an assertion error and lead to a DoS attack in any nameservers running affected versions of BIND: 9.10.0 and 9.10.0-P1.

No authentication is needed to exploit the vulnerability, and both authoritative and recursive servers are vulnerable to the defect.

An advisory posted Wednesday by Jeremy Reed, a sales and support engineer at ISC, notes that the bug (CVE-2014-3859) technically lies in libdns, a C library for building DNS requests, and that any other applications running the libdns library “from the affected source distributions can also be forced to crash with assertion failures triggered in the same fashion.”

While there are no known active exploits for the bug in the wild, there are also no workarounds, so ISC is encouraging users to patch their system and upgrade to version 9.10.0-P2, which eliminates the vulnerability.