Slashdot Mirror

← Back to Stories (view on slashdot.org)

New DoS Vulnerability In All Versions of BIND 9

Posted by kdawson on from the binding-with-briars-my-joys-and-desires dept.

Icemaann writes "ISC is reporting that a new, remotely exploitable vulnerability has been found in all versions of BIND 9. A specially crafted dynamic update packet will make BIND die with an assertion error. There is an exploit in the wild and there are no access control workarounds. Red Hat claims that the exploit does not affect BIND servers that do not allow dynamic updates, but the ISC post refutes that. This is a high-priority vulnerability and DNS operators will want to upgrade BIND to the latest patch level."

46 of 197 comments (clear)

  1. Interesting by PhunkySchtuff · · Score: 2, Interesting

    This is very interesting. I'm sure the people behind BIND will scramble to get things sorted out ASAP, but I wonder how long it will take other vendors (Apple, I'm looking at you!) to release a patch.

    I do have to wonder about exploits like this that seem initially incredibly serious, yet nothing much comes from them and they don't seem to get exploited to the extent that you might expect they would - this one reminds me of l0pht's famous claim that they can bring down the internet in 30 minutes. If this vulnerability is really as serious as they say, and as easy to exploit as it appears to be then in the wrong hands, this could really be an "internet killer"

    --
    Specialist Mac support for creative pros, Melbourne
    1. Re:Interesting by d3matt · · Score: 2, Informative

      so... any BIND server would be down for a bit... anyone with a caching name server would still be able to surf.

      --
      I am d3matt
    2. Re:Interesting by houstonbofh · · Score: 2, Interesting

      Only to sites already cached. The more unusual sites would just be all gone. What do you bet http://downforeveryoneorjustme.com/ is not cached by your DNS server right now?

    3. Re:Interesting by Minwee · · Score: 5, Funny

      It is now.

      This vulnerability also gives the three people running DJB DNS a much needed opportunity for some smugness.

    4. Re:Interesting by kriebz · · Score: 5, Funny

      I was under the impression they had smugness to spare.

  2. Use Unbound or NSD by nwmcsween · · Score: 5, Informative

    I don't want to bash BIND but it has had a fair amount of sec issues (well a lot), try unbound or nsd instead http://unbound.nlnetlabs.nl/ http://www.nlnetlabs.nl/projects/nsd/

    1. Re:Use Unbound or NSD by medlefsen · · Score: 5, Informative

      or djbdns. We use it where I work and other than a slight adjustment to djb-land it has been wonderful. I know people appreciate how powerful BIND is and maybe some people need that. I suspect though that most people just need their DNS servers to serve their DNS records or provide a caching DNS server for local lookups and for that BIND seems to be bloated and insecure.

    2. Re:Use Unbound or NSD by abigor · · Score: 2, Interesting

      PowerDns for the win. Plus it reads legacy BIND zone files.

  3. Well.. by TechyImmigrant · · Score: 2, Funny

    Well DNS operators do appear to be in a bit of a bind don't they?

    --
    Evil people are out to get you.
  4. Ain't what it used to be.... by mcrbids · · Score: 3, Interesting

    Was once the day whe a notice like this would kick off a flurry of migrationn plans, compiler scripting, compiling, and restarting servers in the dead of night. (and bonuses to match!)

    But now?

    # yum -y update && shutdown - r now

    Sometimes I pine for the 'good old days'. A little. (ok, hardly at all)

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
    1. Re:Ain't what it used to be.... by ScytheBlade1 · · Score: 4, Informative

      I'm just hoping that CentOS pushes out the update before 10:00 PM MST today.

      Why?

      So I'll get my daily e-mail status update, telling me to do just that: run yum, and then restart (just bind) -- as opposed to seeing it tomorrow.

      As a footnote, it is generally a good thing to subscribe to whichever vendor's security-announce list that you use. It is really nice getting e-mail notifications of security-related package updates. CentOS has one, right here: http://lists.centos.org/mailman/listinfo/centos-announce

    2. Re:Ain't what it used to be.... by lordkuri · · Score: 4, Insightful

      Why in the holy hell would you reboot a server to put a new install of BIND into service?

    3. Re:Ain't what it used to be.... by palegray.net · · Score: 4, Insightful

      Because modern-day admins don't know how to restart a service?

      Oh, wait, these are fellow Linux "admins" we're talking about...

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    4. Re:Ain't what it used to be.... by houstonbofh · · Score: 2, Funny

      Remember when "shutdown -rfn" would work? Ahh... The days of youth.

    5. Re:Ain't what it used to be.... by Antique+Geekmeister · · Score: 2, Insightful

      Because you may have a stack of other pending updates, particularly kernels, and this has been the first "gotta switch" update in quite some time for those core servers? Also because without the occasional reboot under scheduled maintenance, it's hard to be sure your machines will come up in a disaster. (I've had some gross screwups in init scripts and kernels cause that.)

    6. Re:Ain't what it used to be.... by secolactico · · Score: 3, Informative

      You seem to be just taking all changes and rebooting. I do that all the time on my ubuntu laptops but I wouldn't manage my servers that way.

      More so because some package managers (such as CentOS) tend to replace customized init.d files with the stock ones (renaming the ones you had). This is not really a big deal, but it sometimes breaks some services.

      --
      No sig
    7. Re:Ain't what it used to be.... by FishWithAHammer · · Score: 3, Funny

      I never heard that one, but please tell me it stands for "Right Fucking Now."

      --
      "You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
    8. Re:Ain't what it used to be.... by palegray.net · · Score: 2, Funny

      I think I'm going to alias "reboot" to 'echo "go read some man pages and come back later"' on a bunch of servers now :)

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    9. Re:Ain't what it used to be.... by FireFury03 · · Score: 2, Insightful

      More so because some package managers (such as CentOS) tend to replace customized init.d files with the stock ones (renaming the ones you had). This is not really a big deal, but it sometimes breaks some services.

      If you are modifying packaged files that aren't marked as %config in the RPM spec then you're doing it wrong. 99% of the time you don't need to modify those files anyway, the other 1% of the time you really should be building a custom package and adding it to yum's exclude list.

      --
      http://blog.nexusuk.org
  5. All versions of Bind 9? by Yvan256 · · Score: 2, Funny

    Good thing I'm using FreeDOS!

    1. Re:All versions of Bind 9? by tygerstripes · · Score: 5, Funny

      But it's a DOS vulnerability!!! Sheesh, read the title...

      --
      Meta will eat itself
  6. At least someone agrees that BIND 9 had issues... by bogaboga · · Score: 2, Interesting

    According to this document, BIND 9 has issues including being monolithic, having a "Bad Process Model", Hard to Administer and Hard to Hack. That's not a good reputation to have.

    To some extent, these issues apply to everything Linux save for the last point. I am waiting for the time these points will not apply to Linux and its associated software.

    I must say that understanding BIND's configuration file was not that easy for me at first but after trying several times, I can say I am almost an expert. Things can be made simpler though. A text based interactive system could be of a lot of help. Tools like Webmin come in handy too though they require that a system be running initially.

  7. Only effective against MASTERS... by Olmy's+Jart · · Score: 5, Informative

    From the advisory: "Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert."...

    So an obvious workaround is to only expose your slave DNS servers and to not expose your master server to the Internet. That's part of "best common practices" isn't it? You have one master and multiple slaves and you protect that master. Come on, this is pretty simple stuff. Just simple secure DNS practices should mitigate this. Yeah, if you haven't done it that way to begin with, you've got a mess on your hands converting and it's easier to patch. But patch AND fix your configuration.

    1. Re:Only effective against MASTERS... by raddan · · Score: 4, Insightful

      Because lots of people don't want intruders being able to affect the actual zone data in case an outward-facing DNS server gets compromised. Using SSH to transfer zone data is much easier and more secure than BIND's own zone transfer mechanisms (e.g., you can automate and schedule them), and you don't have to worry about zone transfers through firewalls. Troubleshooting all the weird crap that can happen between different DNS daemons all supposedly doing regular AXFRs is a real pain in the ass. SSH makes life easier.

      If having a DNS machine on the Internet that thinks it is a master really is a mistake, when then, BIND9 is a piece of shit. This is the most straightforward thing a DNS daemon should be asked to do.

      Nowhere in BIND's manual does it say people have to use BIND in a master/slave setup.

    2. Re:Only effective against MASTERS... by totally+bogus+dude · · Score: 2, Informative

      As kju responded, you can reload on particular zones if you want. The logs seem to suggest that bind itself only actually reloads the zones which have changed (i.e. mtime is newer than the last time it was loaded). I only get messages that it's loading every zone if I actually restart bind (stop and start), telling it to reload I only get messages about zones that have actually been changed.

      I haven't noticed any performance hit from doing a simple reload, but I only have 120 zones.

      If we were supplying secondary DNS for an (un?)trusted third party then yes I'd use bind's zone transfer mechanism. But we don't so it's not an issue - we only serve DNS for things we host/manage ourselves.

    3. Re:Only effective against MASTERS... by Fastolfe · · Score: 2, Informative

      So I'm responding not because I disagree with your conclusions, but I disagree with the logic you're using to justify them:

      Because lots of people don't want intruders being able to affect the actual zone data in case an outward-facing DNS server gets compromised. ...
      If having a DNS machine on the Internet that thinks it is a master really is a mistake, when then, BIND9 is a piece of shit. This is the most straightforward thing a DNS daemon should be asked to do.

      You start off with a reasonable statement (that you don't generally want compromised DNS servers to allow for the modification of data), but then you say bind9 is a piece of shit because it's a best practice that the masters (which hold the data) shouldn't be exposed to the public. Which is it?

      Using SSH to transfer zone data is much easier and more secure than BIND's own zone transfer mechanisms

      Would you care to elaborate on that? Doesn't TSIG secure zone transfers? TSIG is just as easy to set up as SSH keys are.

      (e.g., you can automate and schedule them)

      How much more automated can you make automatic zone transfers? What better scheduling of zone transfers than when the zones are modified?

      you don't have to worry about zone transfers through firewalls

      The only thing you need to open through the firewall is TCP and UDP port 53. Most firewalls make this easy, because "Serve DNS through the firewall" is a common configuration for firewalls.

      Troubleshooting all the weird crap that can happen between different DNS daemons all supposedly doing regular AXFRs is a real pain in the ass. SSH makes life easier.

      SSH makes life easier for someone that understands SSH, and does not understand DNS or firewalls.

      That being said, there are valid reasons you might not prefer to run a DNS master as the source for your slaves/shadow masters, and SSH might even be a good way to push your zone files out to those machines, but you have not provided any of those reasons.

  8. For goodness sake upgrade.... by syousef · · Score: 4, Funny

    ...to Windows! DOS is just so 80's and 90's it's not funny.

    (Suggested mod: +1 funny)

    --
    These posts express my own personal views, not those of my employer
    1. Re:For goodness sake upgrade.... by Sicarul · · Score: 2, Funny

      hahaha automatically translated Spanish is so funny (Spanish is my mother language) Though, i don't know what he meant, he said "Yes, i think three or four would be much more modern"... i don't see how it applies to it's previous post... three or four windows? O.o

  9. djb by dickens · · Score: 4, Funny

    Somewhere I think djb is managing to both smile and raise his eyebrows simultaneously.

  10. Servers behind Firewalls by Bilbo · · Score: 2, Insightful

    It's unlikely that, if you're running a DNS server inside of your private network, someone on the outside is going to be able to hit it. But then, like all other vulnerabilities, you combine this one with a couple of other attacks (such as a non-privileged login), and all of the sudden you've got something really dangerous. :-(

    --
    Your Servant, B. Baggins
    1. Re:Servers behind Firewalls by Olmy's+Jart · · Score: 2, Insightful

      A server behind a firewall does not imply a server on a private network. You can have firewalls in front of a DMZ on a public address providing services. Firewalls are used for much more than merely "private networks". Those are two orthogonal issues.

      OTOH... A master on a private network providing zone feeds to slaves on various other networks (firewalled or not) on public addresses would be a very good idea.

  11. Re:At least someone agrees that BIND 9 had issues. by profplump · · Score: 5, Informative

    Recent versions of BIND (8+) are not terrible to administer, and have much more reasonable data files. Older version were *really* nasty, and had a data file format so complicated that we invented a dedicated zone-transfer mechanism just so people could send DNS data to each other.

    And while djbdns uses an unconventional admin system with lots of environmental variables, that's a one-time setup (that is probably done in large part by your package manager) and the actual data files are dead-simple -- plain text, one record per line, can do DNS lookups at build time, can concatenate files, etc. There are valid complaints to be made about djbdns, but I don't think "difficult to wrangle" is one of them.

  12. No need to restart bind after updating using yum by dusanv · · Score: 2, Informative

    It gets restarted automatically. Check system.log.

  13. Always do a reboot test ... by ZeekWatson · · Score: 4, Insightful

    If you're running a serious server you should always do a reboot test after installing any software. I've been burned many times by someone doing a "harmless" installation only to find out 6 months later a critical library was upgraded with an incompatible one (a recent example is expat 2.0) and the server doesn't boot like it should.

    Always reboot! Even with the super slow bios you get in servers nowadays it should only take 2 minutes to be back up and running.

    1. Re:Always do a reboot test ... by Vancorps · · Score: 2, Interesting

      Why? You're DNS servers are clustered and load balanced right? rrright? Those of us that need our infrastructure up don't think twice about rebooting even during the day! A golden age we live in indeed when I can just take the server out of the load balancer rotation, apply updates, perform reboot rest, and then put it back into rotation repeating the steps for all servers in the cluster.

    2. Re:Always do a reboot test ... by sago007 · · Score: 2, Insightful

      If you're running a serious server you should always do a reboot test after installing any software.

      You should obviously wait to outside working hours in case it actually breaks something.

      If you apply an update over ssh you should test that you can create a new ssh connection before you disconnect the first one.

  14. OMG... by Garion911 · · Score: 5, Interesting

    I reported a bug *very* similar to this back in Oct, and only now its coming to light? WTF? I submitted this back in january and it was rejected. Ah well. Here's my page on it: http://garion.tzo.com/resume/page2/bind.html

    --
    Slashdot is like Playboy: I read it for the articles
  15. iptables to the rescue by kju · · Score: 5, Informative

    For a quick "fix":

    iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'

    Will block (all) dnsupdate requests.

  16. Re:I have my own "patch", called a HOSTS file... a by hairyfeet · · Score: 3, Insightful

    Sounds like a lot of work when you can just run Treewalk DNS and be done with it.It is fast, uses very little resources (mine is using 5Mb ATM) and never gives a bit of trouble.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  17. Re:At least someone agrees that BIND 9 had issues. by rs79 · · Score: 2, Informative

    " Older version were *really* nasty, and had a data file format so complicated... "

    Rememeber that this was a product of the early 1980s; Brian Reid, Director of Digital Equipment Corporation's Network Systems Laboratory ("decwrl.uucp") hired a kid, Paul Vixie, to take the buggy Berkley B-tree code and turn it into something resembling professional software. At the time even C was not even close to ubiquitous, Assembler was though and in fact the great majority of code written for the early microprocessor based systems of that era was written in assembly.

    So it should not be any great shock that bind config files looked like assembly code, or that the later versions looked like C.

    Frankly I found the earlier bind config files much easier to use, and the djbdns config files even easier (once you get used to them) to use, and (much) more importantly, you can write a program to manipulate these datum very easily. It's ugly and complicated with bind data files of any version.

    --
    Need Mercedes parts ?
  18. Smug by TheLink · · Score: 3, Funny

    Smugness to spare? My smugness was overflowing more than BIND9 buffers.

    Great opportunity to vent some smugness today :).

    --
  19. Re:god they should learn programming by gd2shoe · · Score: 3, Insightful

    It could have been worse (and no, I haven't read the article yet). Failing an assertion means that they actually wrote an assertion that did it's job. It's impossible to know without reading the code, but this might have been a remote code execution exploit if they hadn't.

    --
    I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
  20. Re:god they should learn programming by rolfc · · Score: 2, Informative

    I am already updated. Thanks to Debian.

  21. Poor coding by julesh · · Score: 2, Interesting

    Why on earth is BIND shipping with assertions that cause the entire server to exit when they fail? They should just cause processing of the current request to exit.

  22. Master for "localhost"? by sa3 · · Score: 2, Interesting

    You may hide your master DNS servers but your slaves are probably still master for "localhost".

  23. Re:It's because it works, & I believe in every by ShakaUVM · · Score: 4, Funny

    My approach isn't stupid in regards to that. Free? That's a "pretty good price", wouldn't YOU say? And, you're also FREE to customize it, & thus, YOUR PERSONALIZED VERSION OF A CUSTOM HOSTS FILE, JUST GOES ALONG WITH YOUR PERSONALIZED SPED UP & SAFER VERSION OF THE INTERNET... &, just as YOU see fit & like, easily. Notepad.exe for instance? My gosh - lol, just "does wonders" here, on this account... lol!

    Are you the ghost of Billy Mays?