Internet Systems Consortium (ISC) today issued a temporary patch for a zero-day vulnerability in BIND 9 DNS servers that’s causing Internet servers to crash. The fix doesn’t repair the vulnerability, but instead prevents DNS servers from crashing while handling the error, ISC said in an advisory.
Organizations across the Internet began reporting crashes that were interrupting service on BIND 9 name servers after logging an error while performing recursive queries. ISC said it is investigating whether this is just a denial-of-service condition, or whether there active exploits in the wild.
“Affected servers crashed after logging an error in query.c with the following message: “INSIST(! Dns_rdataset_isassociated(sigrdataset)),” ISC said in its advisory. “An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure.”
Multiple versions of the BIND 9 platform have been affected, including all supported versions of ISC BIND 9, as well as BIND 9.4-ESV, 9.6-EV, 9.7.x and 9.8.x.
“When a client query is handled, the code that processes the response to the client has to ask the cache for the records for the name that is being queried,” explained the ISC advisory. For this reason, there are two separate components of the patch: The first prevents the cache from returning the inconsistent data, while the second prevents the server from crashing if it detects it’s been given an inconsistent answer.
Currently, there are no known workarounds. ISC is encouraging users to upgrade BIND to one of its patched versions in order to mitigate the issue.