The Internet Systems Consortium issued a security advisory on Wednesday, warning that some third parties are distributing outdated versions of ISC's Berkeley Internet Name Domain (BIND) software that contain a high-severity vulnerability, which bad actors can use to remotely trigger an assertion failure.
ISC described the issue affecting the open-source Domain Name System software as a packet with a malformed options section. “A server vulnerable to this defect can be forced to exit with an assertion failure if it receives a malformed packet,” the advisory states. As of May 2013, the flaw was corrected in ISC-distributed versions of the software, but other entities are distributing software packages that include a vulnerable version of BIND that does not include the patch, identified as fix #3548. Users of ISC-distributed BIND software that predate May 2013 are also susceptible to the vulnerability, designated as CVE-2016-2848.
BIND is the open-source software component that implements Domain Name System protocols. Versions 9.1.0 through 9.9.4-P2 and 9.9.0 through 9.9.2-P2 are affected.