Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

New BIND 9 DNS flaw is worse than Kaminsky’s

A flaw in all versions of BIND 9 reportedly being widely exploited has the potential to cause widespread damage if it goes unpatched, security experts said.

The vulnerability affects the Domain Name Server (DNS) software called BIND 9, which a very large portion of the internet runs on. Specifically, BIND 9 servers that are masters for one or more DNS zones are susceptible to being taken down by a denial of service attack, the Internet Software Consortium (ISC), which develops BIND, said in an advisory.

ISC reported that the vulnerability is currently being widely exploited through specially crafted dynamic update messages sent to vulnerable BIND 9 servers. Receiving this single packet causes the server to stop running and kicks it offline, Richard Hyatt, co-founder and CTO of DNS management vendor BlueCat Networks, told on Wednesday.

Hyatt said that since there are millions of servers running BIND, the vulnerability has the potential to “take a big chunk of the internet offline.” In fact, he thinks that this issue is bigger than the DNS cache poisoning flaw that security researcher Dan Kaminsky revealed last year.

Kaminsky's flaw, which allowed an attacker to perform DNS cache poisoning attacks, resulted in users getting misdirected, Hyatt said. The attack was dangerous because it questioned the trust of the DNS space. But, Kaminsky's vulnerability did not take service offline and required a massive attack to cause an impact on a wide scale, Hyatt said.

The BIND flaw, in contrast, gives attackers the ability to take down servers until they are updated, Hyatt said. Also, the attack on BIND servers is simple to write, he added.

“This can lead to be a major disruption of service for telecom, government, military, transportation and other critical infrastructure services that depend on DNS to ensure the network applications can talk to each other,” Hyatt said.

In addition, the BIND vulnerability requires that all BIND servers get patched versus just the recursive servers in the Kaminsky attack.

Howard Eland, senior director of content propagation and resolution at internet infrastructure services vendor Afilias also said that this vulnerability is “much worse” than Kaminsky's.

“The BIND bug would have an immediate impact on more people,” Eland said.

That's because Kaminsky's flaw allowed an attacker to insert wrong answers into a cache, but would affect only the users of that cache who would be directed to the wrong websites. The BIND flaw would prevent anyone from accessing the affected website.

“It [the BIND flaw] does not allow the attacker to insert wrong data, however, it merely denies access to legitimate data,” Eland said.

In addition, Hyatt said that while ISC reported that the problem affects only master servers, slave and recursive servers could potentially be taken down as well.

“If you follow best practices, you will have master zones on slave servers and recursive servers as well,” Hyatt said.

In an advisory posted on Wednesday, U.S.-CERT urged users to apply the updates that are available.

“The message to system administrators needs to be -- you should stop what you are doing today and go do this now,” Eland said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.