Critical Infrastructure Security, Patch/Configuration Management, Vulnerability Management

BIND update fixes high-severity flaw affecting ICS, as CERT releases update to CSET tool

The Internet Systems Consortium (ISC) released an update Tuesday for a high-severity security flaw that would allow the Berkeley Internet Name Domain (BIND) software, the open source software component that implements Domain Name System (DNS) protocols, to be exploited by remote attackers to launch denial-of-service (DoS) attacks.

The vulnerability (CVE-2016-2776) scored a 7.8 on the Common Vulnerability Scoring System severity rating.

The BIND vulnerability could be exploited by attackers to gain access to critical systems or knock a vulnerable critical system off the grid, according to RiskSense CEO Srinivas Mukkamala. “BIND is a very important protocol and it absolutely needs to be secured,” he said, speaking with SCMagazine.com. “Operators have to pay very close attention and remediate this as soon as possible.”

The critical error condition may occur as a name server is constructing a response to a DNS query.  “A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c,” wrote ISC senior support engineer Brian Conry. The assertion “can be triggered even if the apparent source address isn't allowed to make queries,” Contry added.

The vulnerability affects all servers “if they can receive request packets from any source.” This includes versions 9.9.9-P3, 9.10.4-P3, 9.11.0rc3, and 9.9.9-S5 of the open source software.

The update is “paramount to the long-term safety of industrial control systems,” Strategic Cyber Ventures CEO Tom Kellermann wrote in an email to SCMagazine.com.

The BIND update underscores the need for tools that assist administrators in strengthening the security of industrial control systems. The update comes as the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released an update to its Cyber Security Evaluation Tool (CSET), v8.0.

Ann Barron-DiCamillo, CTO at Strategic Cyber Ventures and former director of US-CERT, said the latest iteration of CSET will help industrial control operators better assess vulnerabilities.

The evaluation tool “provides a dashboard of charts showing areas of strength and weakness, as well as a prioritized list of recommendations for increasing the sites cybersecurity posture,” according to a CSET fact sheet.

Gigamon head of security strategy Justin Harvey celebrated the expansion of freely available tools for industrial control systems, but noted in an email to SCMagazine.com that many ICS vendors do not support the use of third-party software. “This means that complete network visibility is even more important to detecting attacks and threats,” he wrote.

The tool reduces “disconnect” between IT and OT, according to SCADAfence co-founder and CEO Yoni Shohet. IT-OT dialog is “crucial to enable a true ICS security program,” he wrote to SCMagazine.com.

The CSET tool is “a very important step forward for the industry,” noted Nation-E CEO Idan Udi Edry. “It acknowledges the dangers and risks, and it points to the measures that can be used to eliminate those risks,” he wrote.

The maturity of the scanning tool “is constantly improving year over year,” Mukkamala told SCMagazine.com.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.