Manipulated data causes BIND DNS servers to crash

An advisory from the Austrian national CERT warns that the free DNS server BIND, which is maintained by the Internet Systems Consortium (ISC), contains a security vulnerability that allows attackers to crash it using specially crafted data records.

The ISC says that resource records with RDATA fields that exceed 65535 bytes cause the domain name server to crash the next time this record is queried. The following versions of BIND are affected:

• BIND 9.0.x to 9.6.x
• BIND 9.4-ESV to 9.4-ESV-R5-P1
• BIND 9.6-ESV to 9.6-ESV-R7-P2
• BIND 9.7.0 to 9.7.6-P2
• BIND 9.8.0 to 9.8.3-P2
• BIND 9.9.0 to 9.9.1-P2

The ISC recommends that users upgrade to one of the current versions – 9.7.7, 9.7.6-P3, 9.6-ESV-R8, 9.6-ESV-R7-P3, 9.8.4, 9.8.3-P3, 9.9.2 or 9.9.1-P3 – as soon as possible.

The Austrian national CERT explains that sealing off a server from the outside is not sufficient to protect it against an attack. Apparently, a name server query could, for example, be triggered by an email, causing the server to load the specially crafted record. That the query appears to come "from the inside" offers no protection in this case. It remains unclear whether the flaw can only trigger server crashes or whether it can also be exploited to inject malicious software.

(crve)