Critical vulnerabilities of the BIND DNS server allow you to remotely disable it and conduct DoS attacks

Critical vulnerabilities detected in the popular BIND DNS server. Their exploitation can open up opportunities for attackers to carry out a DoS attack and also remotely stop its operation. Information about vulnerabilities was published by ISC specialists, under whose license BIND software is distributed.

What is the problem

An error in the operation of the control channel input data processor ( CVE-2016-1285 ) allows attackers to disable the BIND server by sending a specially crafted packet. To carry out an attack, a hacker must use the address specified in the “controls” section of the named.conf file, or have access to the machine on which the server is running if the control channel uses the default address list.

The CVE-2016-1286 vulnerability consists in incorrect processing of DNAME records, which leads to a failure of resolver.c or db.c modules, which leads to a denial of service for server users. Error CVE-2016-2088 in turncontained in the code responsible for implementing support for DNS cookies - as a result, an attacker can cause a denial of service using a specially crafted package.

In versions of BIND prior to number 9, researchers over the years have discovered a large number of serious security problems. In this case, it is releases that are vulnerable, starting with 9:

• Error CVE-2016-1285 affects versions 9.2.0 -> 9.8.8, 9.9.0-> 9.9.8-P3, 9.9.3-S1-> 9.9.8-S5, 9.10.0-> 9.10.3- P3
• Error CVE-2016-1286 —version 9.0.0 -> 9.8.8, 9.9.0 -> 9.9.8-P3, 9.9.3-S1 -> 9.9.8-S5, 9.10.0 -> 9.10.3- P3;
• Error CVE-2016-2088 - version 9.10.0 -> 9.10.3-P3.

How to protect yourself

For all the errors listed above, patches have already been released. ISC security bulletins recommend that users of vulnerable BIND versions update the server version as soon as possible to the one where the vulnerabilities have been fixed and which is closest in number to the one currently in use.

ISC experts also indicate that at the moment they have no information about the existence of working exploits for these vulnerabilities.

However, Positive Technologies researchers were able to use the vulnerability described above to launch a DOS attack on the dig utility, which is part of the BIND package. At the same time, a vulnerable piece of utility code is fully present in the BIND named daemon.



The dig utility uses dighost.c , and the named daemon uses resolver.c. The vulnerability elimination mechanism is the same for both files and consists of adding a check that guarantees the processing of only the first cookies:

/*
* Only process the first cookie option.
*/
if (seen_cookie) {
        isc_buffer_forward(&optbuf, optlen);
        break;
}

Positive Technologies experts also recommend using specialized tools for detecting vulnerabilities, such as a security monitoring system and compliance with MaxPatrol 8 standards .