The Internet Systems Consortium (ISC) has released security updates for the BIND DNS server software in order to address a serious denial of service vulnerability.
The vulnerability, identified as CVE-2011-1910, could be exploited by attackers to crash a large number of BIND 9 DNS resolvers by sending specially crafted domain queries.
“The nature of this vulnerability would allow remote exploit. An attacker can set up a DNSSEC signed authoritative DNS server with large RRSIG RRsets to act as the trigger.
“The attacker would then find ways to query an organization’s caching resolvers for non-existent names in the domain served by the bad server, getting a response that would ‘trigger’ the vulnerability.
“The attacker would require access to an organization’s caching resolvers; access to the resolvers can be direct (open resolvers), through malware (using a BOTNET to query negative caches), or through driving DNS resolution (a SPAM run that has a domain in the E-mail that will cause the client to perform a lookup),” the ISC explains in its advisory.
The vendor encourages users to update to the newly released BIND versions 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 or 9.8.0-P2. BIND 9.6.2-P3 is not affected.
ISC credits Frank Kloeker and Michael Sinatra for discovering this vulnerability which has a CVSS bases score of 7.8 out of a maximum of 10.
BIND is the most widely used DNS server software and is distributed by default with the vast majority of Unix and Linux platforms. It is being maintained by the Internet Systems Consortium (ISC), a non-profit corporation which develops and maintains several software projects critical to the Internet infrastructure.
The Domain Name System (DNS) is one of the core components of the Internet and resembles a phone book. DNS resolvers are responsible for associating Internet addresses (IPs) to the more human-readable domain names.