DoS flaw discovered in ISC BIND-based DNS servers

By Edward Hurley, News Writer 05 Jun 2002 | SearchSecurity

Digg This!     StumbleUpon     Del.icio.us

An error in core Internet software could cause domain name system (DNS) servers to shut down.

FOR MORE INFORMATION: Best Web Links on denial-of-service attacks CERT's advisory on the ISC BIND 9 vulnerability For more information about BIND 9.2.1 Feedback on this story? Send your comments to News Writer Edward Hurley

DNS servers translate and locate Internet domain names (such as searchsecurity.com) into the corresponding Internet Protocol (IP) address. The denial-of-service flaw in ISC BIND, software running on DNS servers, could allow attackers to shut down machines and deny access to the Internet.

BIND (Berkeley Internet Name Domain) is ISC's implementation of the Domain Name System (DNS) protocols, including a Domain Name System server and tools to ensure proper operations. Additionally, it includes standard APIs to translate domain names into Internet Protocol addresses and vice versa.

The non-profit Internet Software Consortium (ISC) controls BIND. The group develops and maintains production open source implementations of core Internet protocols, according to ISC's Web site. Many commercial and open source flavors of Unix come with ISC BIND.

The vulnerability is in BIND versions 9 to 9.2.0. Versions 4 and 8 are not affected, according to an advisory from the Computer Emergency Response Team (CERT) based at Carnegie Mellon University in Pittsburgh. Last month, ISC released an updated version, BIND 9.2.1, which corrects the flaw.

Specifically, the flaw involves a logic error that could allow a remote attacker to make the DNS servers shut down. An attacker can cause the shutdown by sending a specific DNS packet designed to trigger an internal consistency check, CERT said.

This vulnerability is present within the dns_message_findtype routine, CERT said. Usually, the rdataset variable is non-null. The flaw forces it to be null or empty. This causes an error and makes the system shut down.

Additionally, it may be possible to accidentally trigger the vulnerability with common queries, especially queries originating from SMTP servers, CERT said.

The machines would have to be manually restarted before they can be used again. Such attacks of DNS servers could cause Internet instability, either locally or in larger areas. Attackers can only shut the machines down. They can't execute arbitrary code or write data to memory.

BIND users are advised to apply a patch from their vendor or upgrade to BIND 9.2.1. Software from companies from Caldera to SuSE to Hewlett-Packard could be affected by the flaw.

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary