New DoS Vulnerability In All Versions of BIND 9

← Back to Stories (view on slashdot.org)

New DoS Vulnerability In All Versions of BIND 9

Posted by kdawson on Tuesday July 28, 2009 @02:02PM from the binding-with-briars-my-joys-and-desires dept.

Icemaann writes "ISC is reporting that a new, remotely exploitable vulnerability has been found in all versions of BIND 9. A specially crafted dynamic update packet will make BIND die with an assertion error. There is an exploit in the wild and there are no access control workarounds. Red Hat claims that the exploit does not affect BIND servers that do not allow dynamic updates, but the ISC post refutes that. This is a high-priority vulnerability and DNS operators will want to upgrade BIND to the latest patch level."

6 of 197 comments (clear)

Min score:

Reason:

Sort:

Re:Ain't what it used to be.... by lordkuri · 2009-07-28 14:23 · Score: 4, Insightful

Why in the holy hell would you reboot a server to put a new install of BIND into service?
Re:Ain't what it used to be.... by palegray.net · 2009-07-28 14:42 · Score: 4, Insightful

Because modern-day admins don't know how to restart a service?

Oh, wait, these are fellow Linux "admins" we're talking about...

--
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Always do a reboot test ... by ZeekWatson · 2009-07-28 15:50 · Score: 4, Insightful

If you're running a serious server you should always do a reboot test after installing any software. I've been burned many times by someone doing a "harmless" installation only to find out 6 months later a critical library was upgraded with an incompatible one (a recent example is expat 2.0) and the server doesn't boot like it should.
Always reboot! Even with the super slow bios you get in servers nowadays it should only take 2 minutes to be back up and running.
Re:Only effective against MASTERS... by raddan · 2009-07-28 16:01 · Score: 4, Insightful

Because lots of people don't want intruders being able to affect the actual zone data in case an outward-facing DNS server gets compromised. Using SSH to transfer zone data is much easier and more secure than BIND's own zone transfer mechanisms (e.g., you can automate and schedule them), and you don't have to worry about zone transfers through firewalls. Troubleshooting all the weird crap that can happen between different DNS daemons all supposedly doing regular AXFRs is a real pain in the ass. SSH makes life easier.

If having a DNS machine on the Internet that thinks it is a master really is a mistake, when then, BIND9 is a piece of shit. This is the most straightforward thing a DNS daemon should be asked to do.

Nowhere in BIND's manual does it say people have to use BIND in a master/slave setup.
Re:I have my own "patch", called a HOSTS file... a by hairyfeet · 2009-07-28 17:11 · Score: 3, Insightful

Sounds like a lot of work when you can just run Treewalk DNS and be done with it.It is fast, uses very little resources (mine is using 5Mb ATM) and never gives a bit of trouble.

--
ACs don't waste your time replying, your posts are never seen by me.
Re:god they should learn programming by gd2shoe · 2009-07-28 20:11 · Score: 3, Insightful

It could have been worse (and no, I haven't read the article yet). Failing an assertion means that they actually wrote an assertion that did it's job. It's impossible to know without reading the code, but this might have been a remote code execution exploit if they hadn't.

--
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.