A flaw in the widely used BIND DNS (Domain Name System) software can be exploited by remote attackers to crash DNS servers and affect the operation of other programs running on the same machines.
The flaw stems from the way regular expressions are processed by the libdns library that's part of the BIND software distribution. BIND versions 9.7.x, 9.8.0 up to 9.8.5b1 and 9.9.0 up to 9.9.3b1 for UNIX-like systems are vulnerable, according to a security advisory published Tuesday by the ISC (Internet Systems Consortium), a nonprofit corporation that develops and maintains the software. The Windows versions of BIND are not affected.
[ InfoWorld's expert contributors show you how to secure your Web browsers in a free PDF guide. Download it today! | Learn how to protect your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]
BIND is by far the most widely used DNS server software on the Internet. It is the de facto standard DNS software for many UNIX-like systems, including Linux, Solaris, various BSD variants and Mac OS X.
The vulnerability can be exploited by sending specifically crafted requests to vulnerable installations of BIND that would cause the DNS server process -- the name daemon, known as "named" -- to consume excessive memory resources. This can result in the DNS server process crashing and the operation of other programs being severely affected.
"Intentional exploitation of this condition can cause denial of service in all authoritative and recursive nameservers running affected versions," the ISC said. The organization rates the vulnerability as critical.
One workaround suggested by the ISC is to compile BIND without support for regular expressions, which involves manually editing the "config.h" file using instructions provided in the advisory. The impact of doing this is explained in a separate ISC article that also answers other frequently asked questions about the vulnerability.
The organization also released BIND versions 9.8.4-P2 and 9.9.2-P2, which have regular expression support disabled by default. BIND 9.7.x is no longer supported and won't receive an update.
"BIND 10 is not affected by this vulnerability," the ISC said. "However, at the time of this advisory, BIND 10 is not 'feature complete,' and depending on your deployment needs, may not be a suitable replacement for BIND 9."
According to the ISC, there are no known active exploits at the moment. However, that might soon change.
"It took me approximately ten minutes of work to go from reading the ISC advisory for the first time to developing a working exploit," a user named Daniel Franke said in a message sent to the Full Disclosure security mailing list on Wednesday. "I didn't even have to write any code to do it, unless you count regexes [regular expressions] or BIND zone files as code. It probably will not be long before someone else takes the same steps and this bug starts getting exploited in the wild."
Franke noted that the bug affects BIND servers that "accept zone transfers from untrusted sources." However, that is just one possible exploitation scenario, said Jeff Wright, manager of quality assurance at the ISC, Thursday in a reply to Franke's message.