March 29, 2013, 1:12 PM — A flaw in the widely used BIND DNS (Domain Name System) software can be exploited by remote attackers to crash DNS servers and affect the operation of other programs running on the same machines.
The flaw stems from the way regular expressions are processed by the libdns library that's part of the BIND software distribution. BIND versions 9.7.x, 9.8.0 up to 9.8.5b1 and 9.9.0 up to 9.9.3b1 for UNIX-like systems are vulnerable, according to a security advisory published Tuesday by the Internet Systems Consortium (ISC), a nonprofit corporation that develops and maintains the software. The Windows versions of BIND are not affected.
BIND is by far the most widely used DNS server software on the Internet. It is the de facto standard DNS software for many UNIX-like systems, including Linux, Solaris, various BSD variants and Mac OS X.
The vulnerability can be exploited by sending specifically crafted requests to vulnerable installations of BIND that would cause the DNS server process -- the name daemon, known as "named" -- to consume excessive memory resources. This can result in the DNS server process crashing and the operation of other programs being severely affected.
"Intentional exploitation of this condition can cause denial of service in all authoritative and recursive nameservers running affected versions," the ISC said. The organization rates the vulnerability as critical.
One workaround suggested by the ISC is to compile BIND without support for regular expressions, which involves manually editing the "config.h" file using instructions provided in the advisory. The impact of doing this is explained in a separate ISC article that also answers other frequently asked questions about the vulnerability.
The organization also released BIND versions 9.8.4-P2 and 9.9.2-P2, which have regular expression support disabled by default. BIND 9.7.x is no longer supported and won't receive an update.
"BIND 10 is not affected by this vulnerability," the ISC said. "However, at the time of this advisory, BIND 10 is not 'feature complete,' and depending on your deployment needs, may not be a suitable replacement for BIND 9."
According to the ISC, there are no known active exploits at the moment. However, that might soon change.
"It took me approximately ten minutes of work to go from reading the ISC advisory for the first time to developing a working exploit," a user named Daniel Franke said in a message sent to the Full Disclosure security mailing list on Wednesday. "I didn't even have to write any code to do it, unless you count regexes [regular expressions] or BIND zone files as code. It probably will not be long before someone else takes the same steps and this bug starts getting exploited in the wild."
Franke noted that the bug affects BIND servers that "accept zone transfers from untrusted sources." However, that is just one possible exploitation scenario, said Jeff Wright, manager of quality assurance at the ISC, Thursday in a reply to Franke's message.
"ISC would like to point out that the vector identified by Mr. Franke is not the only one possible, and that operators of *ANY* recursive *OR* authoritative nameservers running an unpatched installation of an affected version of BIND should consider themselves vulnerable to this security issue," Wright said. "We wish, however, to express agreement with the main point of Mr. Franke's comment, which is that the required complexity of the exploit for this vulnerability is not high, and immediate action is recommended to ensure your nameservers are not at risk."
This bug could be a serious threat considering the widespread use of BIND 9, according to Dan Holden, director of the security engineering and response team at DDoS mitigation vendor Arbor Networks. Attackers might start targeting the flaw given the media attention surrounding DNS in the recent days and the low complexity of such an attack, he said Friday via email.
Several security companies said earlier this week that a recent distributed denial-of-service (DDoS) attack targeting an anti-spam organization was the largest in history and affected critical Internet infrastructure. The attackers made use of poorly configured DNS servers to amplify the attack.
"There is a fine line between targeting DNS servers and using them to perform attacks such as DNS amplification," Holden said. "Many network operators feel that their DNS infrastructure is fragile and often they go through additional measures to protect this infrastructure, some of which exacerbate some of these problems. One such example is deploying inline IPS devices in front of DNS infrastructure. Designing appropriate filters to mitigate these attacks with stateless inspection is near impossible."
"If operators are relying on inline detection and mitigation, very few security research organizations are proactive about developing their own proof-of-concept code on which to base a mitigation upon," Holden said. "Thus, these types of devices will very rarely get protection until we see semi-public working code. This gives attackers a window of opportunity that they may very well seize."
Also, historically DNS operators have been slow to patch and this may definitely come into play if we see movement with this vulnerability, Holden said.