New warning on DNS vulnerability
Servers at risk say agencies.
By Ellen Messmer, Network World (US) | Network World US | Published: 06:07, 30 July 2009
DNS users have been warned about a new vulnerability that could put their servers at risk. The Internet Systems Consortium (ISC) and United States Computer Emergency Readiness Team (CERT) have discovered a flaw in the BIND9 DNS code that could be exploited to cause a system crash.
There is also believed to be an attack script floating around in the wild that could be used to exploit the vulnerability. "It's a zero-day exploit and you need to patch BIND9 immediately," said Richard Hyatt, co-founder of Toronto-based BlueCat Networks, which has released a patch that can be applied to its DNS products for the vulnerability.
The CERT advisory, first issued 28 July and updated yesterday, lists sources of BIND9 implementations that may be vulnerable. Ubuntu is reported as vulnerable, for instance, but Nominem is said not to be. The list is expected to be updated periodically.
"By sending a specially-crafted packet to a BIND9 Server, a remote unauthenticated attacker can cause a denial of service, causing BIND to crash," according to the US-CERT advisory.
According to Hyatt, this attack can be carried out by sending one packet for a dynamic DNS update, "and it doesn't matter whether the server supports dynamic updates or not."
A single packet could crash the BIND9 DNS Server, which would have to be restarted manually. The problem impacts both authoritative and recursive BIND9 DNS Servers, said Hyatt, who believes there are tens of millions of DNS Servers that are probably vulnerable to the denial-of-service attack.
There is the potential for worm-based attack over the next few days to exploit this vulnerability before systems are patched, Hyatt said.
