BIND comes apart thanks to ancient denial-of-service vuln

No active exploits, but crashes are happening in the wild


Back in 2000, a bug crept into the Internet Systems Corporation's BIND server, and it lay unnoticed until now.

The result: if you're running a vulnerable version of BIND and using DNSSEC, you need to patch the server against a denial-of-service vulnerability.

The venerable BIND is the world's most-used Domain Name System (DNS) software.

The vulnerability, disclosed on January 16th, is in the named (name daemon): “Improper sequencing during cleanup can lead to a use-after-free error, triggering an assertion failure and crash in named”, the advisory states.

The error is in the netaddr.c library in the daemon.

Disabling DNSSEC validation provides a workaround, but the advisory says all versions since BIND 9.0.0 (released in 2000) need to be patched.

The issue is most serious for “versions 9.9.9-P8 to 9.9.11, 9.10.4-P8 to 9.10.6, 9.11.0-P5 to 9.11.2, 9.9.9-S10 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, and 9.12.0a1 to 9.12.0rc1”.

“No known active exploits but crashes due to this bug have been reported by multiple parties”, the advisory continues.

Jayachandran Palanisamy of Cygate identified the bug. ®

Similar topics

Broader topics


Other stories you might like

  • Client demo in 30 minutes. Just what could go wrong?
    DNS means Do Not Shove under desk

    On Call Welcome to a continent-trotting edition of On Call, in which a Register reader takes a trip to sunnier climes only to be let down by a clown in windswept Blighty.

    Our hero, whom we shall call Simon though that is not his name, was gainfully employed at a UK telecoms outfit way back in the mid-1990s. Carrying the vaunted title of systems engineer, he was based in the City of London doing pre-sales work for some of the world's biggest finance companies.

    High-powered stuff, indeed.

    Continue reading
  • ICANN responds to Ukraine demand to delete all Russian domains
    Even if we wanted to, which we don't, we can't, so we won't, says boss

    ICANN on Wednesday rebuffed a request from Mykhailo Fedorov, First Vice Prime Minister of Ukraine, to revoke all Russian web domains, shut down Russian DNS root servers, and invalidate associated TLS/SSL certificates in response to the Russian invasion of Ukraine.

    Fedorov made his request because Russia's assault has been "made possible mainly due to Russia propaganda machinery using websites continuously spreading disinformation, hate speech, promoting violence and hiding the truth about the war in Ukraine."

    In a publicly posted reply [PDF], Göran Marby, CEO of ICANN, said his organization is an independent technical body charged with overseeing the global internet's DNS and unique identifiers and must maintain neutrality.

    Continue reading
  • Russia acknowledges sanctions could hurt its tech companies
    Cuts taxes, offers subsidies, defers military service for developers – and preps for internet isolation

    Russia's Ministry of Digital Development has acknowledged that sanctions may send its tech businesses to the wall, and announced a raft of measures designed to stop that happening – among them ending dependency on internet infrastructure hosted offshore and disconnecting from the global internet.

    News of the industry support measures comes from an FAQ published by the Ministry on Saturday, which The Register has translated with online services. Among the questions asked is the poser: "What to do if IT specialists massively lose their jobs due to the suspension of the activities of foreign companies or a reduction in the export revenue of Russian developers?"

    The answer is that Russia plans a round of subsidies aimed at sparking the development of software it's felt may soon be hard to source or operate. Other measures outlined in the FAQ are the ability to offer jobs to foreign workers without first having visas approved, a zero per cent tax rate for tech companies involved in activities the Kremlin feels are necessary, preferential mortgage rates for techies, and even exemption from military service.

    Continue reading

Biting the hand that feeds IT © 1998–2022