Critical vulnerabilities of the BIND DNS server allow you to remotely disable it and conduct DoS attacks

Critical vulnerabilities have been discovered in the popular BIND DNS server. Their operation can open up to the attackers the ability to conduct a DoS attack and also remotely stop its operation. Vulnerability information was published by ISC, under the license of which BIND software is distributed.

What is the problem

The error in the input data handler of the control channel ( CVE-2016-1285 ) allows attackers to disable the BIND server by sending a specially crafted packet. To carry out an attack, a hacker must use the address specified in the “controls” section of the named.conf file, or have access to the machine where the server is running if the control channel uses the default address list.
')
Vulnerability CVE-2016-1286 is the incorrect processing of DNAME records, which leads to failure of the modules resolver.c or db.c, which leads to denial of service to server users. In turn, the error CVE-2016-2088 is contained in the code responsible for the implementation of support for DNS cookies - as a result, an attacker could cause a denial of service using a specially crafted package.

In the BIND versions up to number 9, researchers over the years have discovered a large number of serious security problems. In this case, it is the releases that are vulnerable starting from 9:

• Version 9.2.0 -> 9.8.8, 9.9.0-> 9.9.8-P3, 9.9.3-S1-> 9.9.8-S5, 9.10.0-> 9.10.3- are subject to a CVE-2016-1285 error. P3
• Error CVE-2016-1286 — version 9.0.0 -> 9.8.8, 9.9.0 -> 9.9.8-P3, 9.9.3-S1 -> 9.9.8-S5, 9.10.0 -> 9.10.3- P3;
• The error CVE-2016-2088 - version 9.10.0 -> 9.10.3-P3.

How to protect

For all the errors listed above, patches have already been released. ISC company security bulletins contain recommendations for users of vulnerable BIND versions to update the server version as soon as possible to the one where the vulnerabilities are fixed and which is the closest to the number currently used.

ISC experts also indicate that at the moment they have no information about the existence of working exploits for these vulnerabilities.

However, Positive Technologies researchers managed to use the vulnerability described above to carry out a DOS attack on the dig utility, which is part of the BIND package. At the same time, a vulnerable piece of utility code is fully present in the BIND named daemon.



The dig utility uses dighost.c , and the named daemon uses resolver.c . The mechanism for eliminating vulnerabilities is the same for both files and consists of adding a check guaranteeing that only the first cookies are processed:

/* * Only process the first cookie option. */ if (seen_cookie) { isc_buffer_forward(&optbuf, optlen); break; } 

Experts at Positive Technologies also recommend using specialized tools to detect vulnerabilities, such as the MaxPatrol 8 security monitoring and compliance system.