High Severity BIND Vulnerability Advisory Issued

wiredmikey writes "The Internet Systems Consortium (ISC) and US-CERT have issued a high severity vulnerability warning, discovered by Neustar, which affects BIND, the most widely used DNS software on the Internet. Successful exploitation could enable attacker to cause Bind servers to stop processing all requests. According to the disclosure, 'When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition.'"

latest BIND not affected

[doperative]

"There have been no active exploits known, and versions 9.7.1-9.7.2-P3 versions of BIND are affected. US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3 "

Re:latest BIND not affected

[Bacon+Bits]

That's because the latest BIND was released specifically to patch this vulnerability. They just didn't really tell anybody about the vulnerability until after 9.7.3 was released. Don't believe me?

CERT was notified at the end of January.
"Date Notified: 2011-01-24" [ http://www.kb.cert.org/vuls/id/559980 ]

The CVE was reserved in the middle of January.
"Assigned (20110111)" [ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0414 ]

Yet the release notes for 9.7.3 don't mention any fixes which would coincide with this vulnerability:
http://ftp.isc.org/isc/bind9/9.7.3/RELEASE-NOTES-BIND-9.7.3.html

Thanks, ISC, for patching a vulnerability a month after you found out about it and then telling us two weeks later that you did that. That's awesome security procedure there.

Re:latest BIND not affected

[Ethanol]

That's because the latest BIND was released specifically to patch this vulnerability. They just didn't really tell anybody about the vulnerability until after 9.7.3 was released.

That's not correct. The locking bug had already been fixed in 9.7.3b1, a month before it was found to be exploitable as a DoS. When we did find that out, we consulted with vendors and decided to continue with the releases in progress.

Re:latest BIND not affected

We notified our forum members as soon as we understood the full scope of the issue, key operators/vendors the next day, and the general community one week later, as per our Security Disclosure Policy: http://www.isc.org/security-vulnerability-disclosure-policy.

Re:latest BIND not affected

So, BaconBits - are you going to publicly retract your statements impugning BIND's process?

You made some very harsh judgement, evidently without any research into backup said accusations - IMO, you owe an apology. [I'm posting AC since I don't want to be attacked publicly either, but I have NO association with BIND or any Linux development at all. I'm simply one who uses BIND and Linux servers. Really, I'm just a sysadmin.]

Re:latest BIND not affected

[pclminion]

Thanks, ISC, for patching a vulnerability a month after you found out about it and then telling us two weeks later that you did that

You know, I'm really tired of people who obviously don't write code saying crap like this. Fixing a subtle deadlock could quite realistically take a month. First, you need to figure out really why it happens. Then you need to figure out the CORRECT way to fix it, then you need to implement the fix, then you need to TEST the thing to make sure you didn't introduce anything ELSE that could cause a problem. If the bug was in an easy area of code, chances are it would have been found and fixed a long time ago. BIND has been around a long, long time. Anything left in there now is, by definition, hard to find and hard to fix.

Look folks, security bugs happen BECAUSE people whip out code without thinking and without testing. Now you ask for them to do exactly that? You need to get a grip on reality.

Re:latest BIND not affected

[thogard]

Keep in mind that ISC runs a lot of very large name servers all over the world that are under constant DDOS attacks and they didn't see this in the wild. At this point, its a theoretical attack and there is a theatrical work around. Releasing the info too soon could have resulted in a real attack against a theatrical work around. I think they did the right thing considering if you had a DDOS problem, you can ask in a number of places and they would have told to you to try the work around.

Earlier versions?

[psyclone]

What about versions before 9.7.1? Looks like this vulnerability affects only Bind servers within the specific range: 9.7.1-9.7.2-P3

not "high severity"

[Lord+Ender]

This sounds like a denial-of-service flaw. Such flaws are considered "low severity" in all but the rarest cases. A high-severity flaw would be one which either gives a hacker control of a service or access to sensitive information.

This is just one more in a long list of well-known ways anyone could knock a server offline.

Re:not "high severity"

[Leebert]

This sounds like a denial-of-service flaw. Such flaws are considered "low severity" in all but the rarest cases. A high-severity flaw would be one which either gives a hacker control of a service or access to sensitive information.

It depends entirely upon the requirements for availability. I agree that generally the A in the CIA triad is the least important, but not by any means always.

Imagine if this could be easily leveraged to shut down all DNS resolvers for, say, all of Comcast. Wouldn't you agree that it's probably a greater impact than, say, a single unimportant desktop somewhere in marketing being compromised by the Flash Of The Day vulnerability?

Thus is the black magic of IT risk management. :)

That said, my first thought when reading this headline was the same as yours.

Re:not "high severity"

[kangsterizer]

http://www.kb.cert.org/vuls/id/559980
Severity metric: 4.50 (on a scale from 0 to 180)

Sounds like not very high to me either, lol.

That said, it's a kinda serious vulnerability given that the Internet relies a lot on DNS and many servers are running BIND.

Then again, we should be running at least DNSSEC by now, and not provided by BIND, right? right?!

Re:not "high severity"

[Leebert]

Clearly, you're just a troll with a silly statement like that.

No sir, my intention was to be disengaging by acknowledging that I was aware that I was talking to a person who probably would generally understand the principles about which I was speaking. I *do* recognize usernames on slashdot, and try my best to acknowledge people who have been around for a long time and generally contribute positively toward the discussion.

your responses are really just pedantic, pointless puffery. Broadly speaking, DoS flaws are low severity.

Then please, by all means, refute it with something other than assertions. Show me how a network-based, low access complexity, non-authenticated vulnerability with only complete availability impact will not score a CVSS v2 base score of 7.8. Or explain why that methodology is flawed (I probably will agree with you).

Because THAT is what some IT risk analyst is going to throw at someone if they parrot what you're saying, and their CVSS charts and graphs look a lot prettier than general unsupported rhetoric.

So don't expect to get a gold star for pointing out the obvious.

It may be obvious to YOU, but not everyone understands these things as a matter of course. I personally think it does a service to help people think more structured about these sorts of things. It took me years to learn, and I wish that people would have guided me.

But you have to admit that we've managed to spend the day off and on arguing over something as admittedly trivial as the title on a news article. Only Slashdot. :)

not high severity

[Lord+Ender]

High severity threats are those that either disclose sensitive information or allow unauthorized control of a service or system. Denial of service vulnerabilities are almost universally considered low severity. This is just one more in a long list of known ways to DoS a system.

Re:Many companies avoid using networked nameserver

[Albanach]

Seriously? What companies avoid nameservers?

Why would you believe your P2P software is less prone to vulnerabilities than BIND?

but it also permits the company to defacto limit the webservers that employees may visit.

Perhaps, If your company employs people who cannot type in an IP address. Nonetheless, I can think of many much better ways to limit employee internet access.

All software has vulnerabilities. If your nameserver has an issue, you upgrade BIND and you're done. If your P2P software on every desktop has a vulnerability, you now have to update software on every desktop. Assuming, that is, that the vulnerability is ever publicly disclosed.

Re:Let Me Ask a Question

[vlm]

Let me ask a question, when alerts come out like this that explain a vulnerability, do they always state the problem the way it happens?

Thankfully, yes, err, well, as far as they know at that time. I don't do IXFR on my authoritative or resolving bind servers so I simply don't care. Kind of hard to cause a deadlock during a tiny slice of a time in a process I don't run...

Like, if someone understood how to exploit this vulnerability, are they really going to shut down DNS services or could it be that there is a worse vulnerability underneath? For instance, could this actually be a call to patch something that allows for DNS spoof, where someone does not want the issue to have wide awareness?

Uh, no. At least not directly. According to

http://www.isc.org/software/bind/advisories/cve-2011-0414

the server simply stops responding. Usually deadlocks in any software freeze it up quite well rather than false data. Old data, maybe, at worst...

What happens to the rest of your security infrastructure when it stops getting DNS responses? Probably nothing, but someone whom tried really hard could make something like a syslog that wouldn't log if it cant log reverse DNS, so I guess you could brute force something while no one is watching, that is vulnerable to brute forcing (no rate limiting, weak enough to be brute forced, etc). Once they have access maybe they could set up some sort of spoofy thing.

Re:Many companies avoid using networked nameserver

[geogob]

Now I really wonder... are you someone totally incompetent trying to post as a windows admin or just an elaborate troll
Because I really don't see the point to try to push the usage of host files in this community (or any community, for that matter - especially as an alternative to DNS).

Re:Some of your points = moot to most people &

[djdanlib]

I am not one of the ACs in this thread. That being said, I have some background and experience in network administration in environments from SOHO to global enterprises.

Now, please detail how you'd set up an automatic and redundant P2P distribution network for a HOSTS file including your mechanism for securely updating said HOSTS file from a location of your choosing, and explain how your solution is more efficient than your company's infrastructure's DNS systems. If you allow updates from anywhere other than a central location, what happens when malware on a personal computer alters the HOSTS file - does it cause an erroneous update to be pushed out to the group? Can you ever tell that the one computer is stale? Would you push the updates on demand only, or every X minutes/days?

You're clearly talking about a business use of some sort here. Have you done this in a business environment? How large? How did you convince them to allow you to override DNS with myriad HOSTS files? Have improvements in their network infrastructure superceded your solution, perhaps without your knowledge?

The only benefit to having a HOSTS file distribution like that might be that it could be distributed faster than your DNS can replicate changes via a push or pull mechanism, although in a modern enterprise environment DNS changes should be able to propagate in minutes if not seconds.

Once a system is removed from that HOSTS file distribution, or the distribution fails because a server dies or a network link is broken temporarily, or a user does something that causes their personal machine to stop receiving changes, then you have stale HOSTS files everywhere conflicting with your DNS. How do you propose to clean that mess up?

DNS should at least be set up such that (in no particular order):
1) It is very redundant (multi-homed) and thus robust/reliable
2) Administrators can control it and add/alter/remove records
3) Replication is fast
4) The source of changes can be verified or at least identified
5) Poisoned updates from the untrusted wilds can be rolled back and audited once they have been identified

How often do you have significant DNS bugs whose actual (not theoretical) impact and resolution outweighs the implementation cost (time and money) of your custom HOSTS distribution solution? I propose that this scenario does not exist, but someone has created this alternate solution "just in case" which just smacks of the 1980s rather than learning how to correctly administer their DNS infrastructure. Either that, or someone is upset because they weren't permitted to alter the corporate DNS the way they wanted / anonymously, and became the squeaky wheel and pitched their solution to execs in the business who don't know the difference between a CPU and a chassis. (Nor should they have to, it's not their job.) These are possibilities, perhaps not accurate. However: None of these are acceptable for a network administrator. All network admins should be seeking ways to improve their DNS setup, staying on top of the state of the art, and using HOSTS files *only* when appropriate.

HOSTS files do have uses.
* Null-routing a server that's been causing some isolated issue, such as an ad server or some other server that your software times out waiting for; Also, null-routing a server to prevent a new software package you're testing/developing from reaching a production server
* Rerouting a name to your local development environment while debugging or developing software
* Guarantee resolution of key server names on a portable demo workstation that often finds itself on different private networks

I think you need to chill out a little bit, regardless. There's entirely too much angry excitement in this thread, and there's a lot of arguments that seem to stem from personal experiences with isolated situations from the distant past that basically never happen in a properly configured environment, and don't cause the kind of disaster that they are imagined to cause. Let's try to stay calm, civil and professional on a public technology website.

Re:Can't you read? I wouldn't USE P2P to update HO

[djdanlib]

I addressed my post incorrectly. I was replying to the thread as a whole, which was not correctly conveyed.

Logon scripts that copy from where?

Still, it wouldn't kill you to be civil.

Re:djbdns

[Just+Some+Guy]

if you want a secure one.

If you want it to be really secure, you'd just turn the server off. If you want secure and functional, isn't even an option.

I'll say it: djbdns is the least secure popular DNS daemon. Its fatal flaw is that it only implements the easiest parts of DNS. Maybe it's exceedingly secure at handling that stuff. Who knows? Who cares? It leaves all the hard part of DNS administration to be re-implemented at every single site. For example, to the best of my knowledge, djbdns still doesn't implement IXFRs. The security vulnerability:

BIND method for dynamic DNS

1. Configure a TSIG key and install it on the master and slave servers.
2. Tell the master server to send notifications to the slaves.
3. Slap your hands together in "job well done" manner and go drink a beer.

djbdns method for dynamic DNS

1. Roll out some half-assed rsync-based implementation to send updates from the master to the slaves.
2. Don't forget to use SSH!
3. Don't forget to use public key authentication!
4. Don't forget to use empty passphrases, or implement some passphrase-caching mechanism!
5. Hey, maybe this would be a good time to spend a week learning about Kerberos!
6. Don't forget to lock down the 'namedaemon' accounts on the slaves so that they can only run rsync and not get full shell privileges!
7. Don't forget to lock down rsync so that it can't write outside djbdns's non-standard configuration directories!
8. Figure out a way to make it interact with your outsourced slave DNS systems, all of which are running BIND or something compatible with it.
9. Figure out whether to used time-based or delta-size-based algorithms to decide how often to trigger your proprietary sync system.
10. Explain to your boss why you spent two weeks dicking around with something that didn't have to be dicked around with had you picked something less bizarre.

djbdns pretends to be secure by ignoring all the things that make DNS "interesting". That's like writing a computer language with one instruction - say "subtract, branch negative", making that one instruction very robust, then making fun of people who use "insecure languages" (which happens to be everything but yours, as you loudly explain to everyone who will listen). No thanks.