Critical Denial-of-Service Flaw in BIND Software Puts DNS Servers at Risk
A flaw in the widely used BIND DNS (Domain Name System) software can be exploited by remote attackers to crash DNS servers and affect the operation of other programs running on the same machines.
The flaw stems from the way regular expressions are processed by the libdns library that’s part of the BIND software distribution. BIND versions 9.7.x, 9.8.0 up to 9.8.5b1 and 9.9.0 up to 9.9.3b1 for UNIX-like systems are vulnerable, according to a security advisory published Tuesday by the ISC (Internet Systems Consortium), a nonprofit corporation that develops and maintains the software. The Windows versions of BIND are not affected.
BIND is by far the most widely used DNS server software on the Internet. It is the de facto standard DNS software for many UNIX-like systems, including Linux, Solaris, various BSD variants and Mac OS X.
The vulnerability can be exploited by sending specifically crafted requests to vulnerable installations of BIND that would cause the DNS server process — the name daemon, known as “named” — to consume excessive memory resources. This can result in the DNS server process crashing and the operation of other programs being severely affected.