A new denial-of-service (DoS) vulnerability was discovered in BIND DNS, updates available
BIND is the most widely used Domain Name System (DNS) on the internet that enables you to publish your Domain Name System (DNS) information on the Internet, and to resolve DNS queries for your users. On Unix-like operating systems it is a de facto standard.
According to ISC, only servers which are configured to simultaneously use both Response Policy Zones (RPZ) and DNS64 (a method for synthesizing AAAA records from A records) are potentially vulnerable. The new CVE-2017-3135 vulnerability which found in the way BIND handled query responses, allows attacker to terminate name daemon (named) via a specially crafted DNS response. Thus, successful exploitation of the vulnerability leads to denial-of-service attack.
The following versions are affected by the vulnerability;
- 9.9.3-S1 -> 9.9.9-S7,
- 9.9.3 -> 9.9.9-P5,
- 9.10.0 -> 9.10.4-P5,
- 9.11.0 -> 9.11.0-P2,
How to protect?
Even though it is possible to avoid the vulnerability by removing either DNS64 or RPZ from the configuration, it is recommended to upgrade. ISC has released versions 9.9.9-P6, 9.10.4-P6 and 9.11.0-P3 to patch CVE-2017-3135 vulnerability. Also Linux distributors are likely to provide their own versions to address this vulnerability. And don’t forget to update your BIND version after thorough testing. You can find fixed releases here.
Please subscribe to our free newsletter using the form below to receive latest cyber security news, vulnerability alerts, security updates, malware alerts, how-to guides, data breach and DDoS news, and scam alerts.
527 total views, 4 views today