Security researchers are warning domain name system (DNS) server users to check their systems for the recently...
found flaw in versions of ubiquitous ISC BIND software and patch it immediately.
The Computer Emergency Response Team (CERT) announced Wednesday a flaw in versions of BIND (Berkeley Internet Name Domain), the most popular DNS server. BIND servers translate Internet domain names to and from numeric Internet Protocol (IP) addresses.
An attacker exploiting the vulnerability could send a malformed packet of data to a DNS server and cause the system to shut down, causing a denial-of-service condition. This could affect other systems that depend on the server such as e-mail and Web servers, said Shawn Hernan, a technical staff member with CERT.
Attackers wishing to impact access to portions of the Internet could do damage because DNS servers "are the closest thing to a single point of failure on the Internet," said Dan Ingevaldson, team leader of Internet Security Systems' X-Force research and development.
More than 90% of DNS servers use BIND software. However, only versions 9 to 9.2.0 are flawed, said Hernan, adding he isn't sure how many machines are using the affected versions. The flaw will affect some users of commercial Linux and Unix flavors, like Hewlett-Packard's HP-UX, Caldera Open Unix, Red Hat Linux 7.1, 7.2 and 7.3, Mandrake Linux 8x and SuSE Linux.
Users have two ways to correct the flaw. Users of commercial Unix flavors should check with their vendors for a patch. Users who downloaded BIND as source code and built the server themselves, should upgrade to BIND version 9.2.1.
Exploiting the vulnerability is not difficult, Hernan said. One would only need to send a query containing certain malformed data to the server. The flaw is found in how the software verifies data. The malformed data causes the system to shut down.
CERT also said it may be possible to accidentally trigger the vulnerability with common queries, especially queries originating from SMTP servers.
The vulnerability does not allow attackers to run arbitrary code on servers. Hence, it's unlikely a worm will be written to take advantage of the flaw, said Ingevaldson.
However, an enterprising attacker could write a program that scans for the vulnerability and then fires the right query to shut servers down. If enough DNS servers are shut down, that could affect sections of the Internet.
Some users have their DNS servers set to restart when they shut down, minimizing the effect of the flaw. However, a persistent attacker could constantly send the query to make the server shut down.
Ingevaldson and Hernan agree that DNS servers are a damning target for attackers wishing to damage the Internet. "They are the closet thing to a single point of failure (in the Internet)," Ingevaldson said.
Most companies only have one or two DNS servers or use a third-party vendor for them. As such, if the systems went down, they don't have much wiggle room.
Attackers are aware of this. Last year, a worm was created to take advantage of a flaw in earlier version of BIND. Dubbed "Lion," the worm spread itself to Linux DNS machines running BIND. Its mission was to harvest administrator passwords and to create backdoors to the system for hackers.