Critical vulnerability in BIND 9 regular expression handling
It has been revealed that a malicious regular expression can cause a denial-of-service of the open source BIND DNS server on Linux and Unix systems. Other programs using BIND's libdns are also potentially vulnerable to the same attack. The critical bug allows attacker to cause excessive memory consumption by the named process which could lead to the daemon using all available memory on the affected machine; this could lead to the crashing of BIND and detrimentally affect other services running on the same server.
The problem has been reported as CVE-2013-2266 and only affects Linux and Unix versions of BIND – the flaw is not present in Windows versions of the program. Vulnerable versions include 9.7.x, 9.8.0 to 9.8.5b1 and 9.9.0 to 9.9.3b1 of BIND. Versions prior to BIND 9.7.0 are not vulnerable; BIND 10 is not affected either.
Fixed versions of BIND have been released as BIND 9.9.2-P2 and 9.8.4-P2, BIND 9.7 has already reached end of life and is no longer being maintained. Applications that use BIND's libdns library are also affected and should be updated as quickly as possible. As a workaround, developers can compile libdns with regex functionality disabled.
The Internet Systems Consortium (ISC), which maintains BIND, points out that the flaw is not very difficult to exploit and recommends immediate action by owners of named servers to ensure that their systems are not affected.