Slashdot Mirror

← Back to Stories (view on slashdot.org)

High Severity BIND Vulnerability Advisory Issued

Posted by CmdrTaco on from the put-on-your-hard-hat dept.

wiredmikey writes "The Internet Systems Consortium (ISC) and US-CERT have issued a high severity vulnerability warning, discovered by Neustar, which affects BIND, the most widely used DNS software on the Internet. Successful exploitation could enable attacker to cause Bind servers to stop processing all requests. According to the disclosure, 'When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition.'"

5 of 144 comments (clear)

  1. latest BIND not affected by doperative · · Score: 5, Informative

    "There have been no active exploits known, and versions 9.7.1-9.7.2-P3 versions of BIND are affected. US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3 "

    1. Re:latest BIND not affected by Bacon+Bits · · Score: 3, Informative

      That's because the latest BIND was released specifically to patch this vulnerability. They just didn't really tell anybody about the vulnerability until after 9.7.3 was released. Don't believe me?

      CERT was notified at the end of January.
      "Date Notified: 2011-01-24" [ http://www.kb.cert.org/vuls/id/559980 ]

      The CVE was reserved in the middle of January.
      "Assigned (20110111)" [ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0414 ]

      Yet the release notes for 9.7.3 don't mention any fixes which would coincide with this vulnerability:
      http://ftp.isc.org/isc/bind9/9.7.3/RELEASE-NOTES-BIND-9.7.3.html

      Thanks, ISC, for patching a vulnerability a month after you found out about it and then telling us two weeks later that you did that. That's awesome security procedure there.

      --
      The road to tyranny has always been paved with claims of necessity.
    2. Re:latest BIND not affected by Ethanol · · Score: 4, Informative

      That's because the latest BIND was released specifically to patch this vulnerability. They just didn't really tell anybody about the vulnerability until after 9.7.3 was released.

      That's not correct. The locking bug had already been fixed in 9.7.3b1, a month before it was found to be exploitable as a DoS. When we did find that out, we consulted with vendors and decided to continue with the releases in progress.

    3. Re:latest BIND not affected by Anonymous Coward · · Score: 3, Informative

      We notified our forum members as soon as we understood the full scope of the issue, key operators/vendors the next day, and the general community one week later, as per our Security Disclosure Policy: http://www.isc.org/security-vulnerability-disclosure-policy.

  2. not "high severity" by Lord+Ender · · Score: 4, Informative

    This sounds like a denial-of-service flaw. Such flaws are considered "low severity" in all but the rarest cases. A high-severity flaw would be one which either gives a hacker control of a service or access to sensitive information.

    This is just one more in a long list of well-known ways anyone could knock a server offline.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.