New Flaw in BIND Causing Server Crashes

2011-11-16T19:29:10
ID THREATPOST:AF7AF07452980EF7C523521B0CCAAC68
Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:33:19

Description

BINDThere’s a new vulnerability in the popular BIND name server software that is causing various versions of the application to crash unexpectedly after logging a certain kind of error. The Internet Software Consortium, which maintains BIND, is investigating the issue and trying to determine the severity of the problem.

The problem reportedly affects all of the currently supported versions of BIND, including BIND 9.7x and 9.8x.It’s unknown right now whether the flaw can be used to run remote code.

“Organizations across the Internet reported crashes interrupting service on BIND 9 nameservers performing recursive queries. Affected servers crashed after logging an error in query.c with the following message: “INSIST(! dns_rdataset_isassociated(sigrdataset))” Multiple versions were reported being affected, including all currently supported release versions of ISC BIND 9. ISC is actively investigating the root cause and has produced patches which prevent the crash,” the ISC said in an advisory on the BIND flaw.

“An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached.At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit. “

ISC has produced patches for each of the vulnerable versions, and is still looking into whether there are any active exploits being used against the vulnerability right now. The patches are available on the ISC BIND site.

“The patch has two components. When a client query is handled, the code which processes the response to the client has to ask the cache for the records for the name that is being queried. The first component of the patch prevents the cache from returning the inconsistent data. The second component prevents named from crashing if it detects that it has been given an inconsistent answer of this nature,” the ISC advisory says.