BIND comes apart thanks to ancient denial-of-service vuln
No active exploits, but crashes are happening in the wild
Back in 2000, a bug crept into the Internet Systems Corporation's BIND server, and it lay unnoticed until now.
The result: if you're running a vulnerable version of BIND and using DNSSEC, you need to patch the server against a denial-of-service vulnerability.
The venerable BIND is the world's most-used Domain Name System (DNS) software.
The vulnerability, disclosed on January 16th, is in the
named (name daemon): “Improper sequencing during cleanup can lead to a use-after-free error, triggering an assertion failure and crash in named”, the advisory states.
The error is in the
netaddr.c library in the daemon.
Disabling DNSSEC validation provides a workaround, but the advisory says all versions since BIND 9.0.0 (released in 2000) need to be patched.
The issue is most serious for “versions 9.9.9-P8 to 9.9.11, 9.10.4-P8 to 9.10.6, 9.11.0-P5 to 9.11.2, 9.9.9-S10 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, and 9.12.0a1 to 9.12.0rc1”.
“No known active exploits but crashes due to this bug have been reported by multiple parties”, the advisory continues.
Jayachandran Palanisamy of Cygate identified the bug. ®