Internet Security Systems (ISS) on Tuesday warned that several serious
vulnerabilities have been detected in the Berkeley Internet Name Domain
(BIND) Server, the most common implementation of the DNS
protocol.
In a security
alert, IIS said the most serious security flaws were found in BIND 4.9.5
to 4.9.10 and BIND 8.1, 8.2 to 8.2.6, 8.3.0 to 8.3.3 and affected nearly all
currently deployed recursive DNS servers on the Internet. “Upgrading to BIND
version 9.2.1 is strongly recommended,” IIS said.
While there are no active exploits of the flaws, the IIS has warned that if
exploits are developed and made public, they may lead to compromise and DoS
attacks against vulnerable DNS servers.
The immediate fear is that an Internet worm may be developed to propagate by
exploiting the flaws in BIND,” the outfit said, warning that widespread
attacks against the DNS system may lead to general instability and
inaccuracy of DNS data.
The security outfit said a buffer overflow exists in BIND 4 and 8 that may
lead to remote compromise of vulnerable DNS servers. An attacker with
controls of any authoritative DNS server may cause BIND to cache DNS
information within its internal database, if recursion is enabled (recursion
is enabled by default unless explicitly disabled via command line options or
in the BIND configuration file).
“There is a flaw in the formation of DNS responses containing SIG resource
records (RR) that can lead to buffer overflow and execution of arbitrary
code,” it warned.
The second flaw concerns recursive BIND 8 servers that can abruptly
terminate due to an assertion failure. The denial-of-service
lookup on a nonexistent sub-domain of a valid domain name. This may cause
BIND 8 to terminate by attacking an OPT resource record with a large UDP
payload size, it said, warning that the DoS can also be triggered for
queries on domains whose authoritative DNS servers are unreachable.
The IIS also warned of a BIND SIG Expiry Time denial-of-service bug that
affects recursive BIND 8 servers. “An attacker who controls any
authoritative name server may cause vulnerable BIND 8 servers to attempt to
cache SIG RR elements with invalid expiry times. These are removed from the
BIND internal database, but later improperly referenced, leading to a DoS
condition,” the firm said.
While encouraging the immediate upgrade to BIND version 4.9.11, 8.2.7, 8.3.4
or to BIND version 9, IIS said a workaround for DNS servers that do not need
recursive DNS functionality can also be done by disabling recursion within
the BIND configuration file.