BIND DNS server updates close critical hole
The Internet Systems Consortium (ISC) is warning users of a critical vulnerability in the free BIND DNS server that can be exploited by an attacker to cause a denial-of-service (DoS) condition.
According to the ISC, the security issue (CVE-2012-5166) is caused by a problem when processing a specially crafted combination of resource records (RDATA). When loaded, this data can cause a name server to lock up. The ISC says that, when this happens, normal functionality can only be restored by terminating and restarting the named daemon.
Affected versions include 9.2.x to 9.6.x, 9.4-ESV to 9.4-ESV-R5-P1, 9.6-ESV to 9.6-ESV-R7-P3, 9.7.0 to 9.7.6-P3, 9.8.0 to 9.8.3-P3 and 9.9.0 to 9.9.1-P3. The ISC notes that while versions 9.2, 9.3, 9.4 and 9.5 of BIND are vulnerable, these branches are considered to be "end of life" (EOL) and are no longer updated. Upgrading to 9.7.7, 9.7.6-P4, 9.6-ESV-R8, 9.6-ESV-R7-P4, 9.8.4, 9.8.3-P4, 9.9.2 or 9.9.1-P4 corrects the problem. Alternatively, as a workaround, users can set the "minimal-responses" option to "yes" in order to prevent the lockup.
The ISC says that it currently knows of no active exploits. The new releases are available from the ISC's downloads page; all users are advised to update to the latest versions.
- Specially Crafted DNS Data Can Cause a Lockup in named, security advisory from the ISC.