Slashdot Mirror

← Back to Stories (view on slashdot.org)

Potential 0-Day Vulnerability For BIND 9

Posted by Soulskill on from the bind-your-own-business dept.

Morty writes "BIND, the popular DNS server software, has been crashing all over the Internet. The root cause is believed to be a 0-day vulnerability in BIND's resolver. The ISC has issued an alert. Quoting: 'An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached. At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.'"

16 of 187 comments (clear)

  1. To the Red Phone! by Anonymous Coward · · Score: 4, Funny

    Alert DJB at once!

  2. 10 years ago by ghn · · Score: 4, Informative

    I had to choose which DNS server I would deploy on my servers. I went for TinyDNS as it had all the same features and security promises. Man am I glad to have considered security over popularity.

    1. Re:10 years ago by Compaqt · · Score: 4, Informative

      Another small DNS server is MaraDNS. It's considered a good alternative to BIND.

      Being a lot smaller, it's easier to secure.

      If you're just running a DNS cache on your desktop, check out dnsmasq. Click to install(Deb/Mint/Ubuntu)

      --
      I'm not a lawyer, but I play one on the Internet. Blog
    2. Re:10 years ago by afidel · · Score: 4, Funny

      Unless you have to actually work with him.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    3. Re:10 years ago by Above · · Score: 5, Informative

      This particular vulnerability applies only to BIND9 operating as a recursive resolver. BIND9 operating in authoritative mode, similar to how TinyDNS operates, is unaffected. Had you properly deployed BIND9 for the same purposes you are using TinyDNS you would not had been impacted by this issue.

    4. Re:10 years ago by gmack · · Score: 4, Informative

      The major problem with Qmail was it's design simply didn't take into account the possibility of a bad return address. The downside was that it couldn't bounce during reception and so was forced to generate a bounce message instead and not only did spammers plug up the queue with bad messages, it ended up being used for reflector attacks where the attacker set the target's address as the return and sent messages that would bounce to many different servers. The whole problem ended up being so bad that many that many mail admins considered servers running Qmail to be almost as bad as an open relay and there were people who actually maintained blacklists of servers running Qmail and that was right about when I stopped using it but I hear there have been patches to fix the worst of it's flaws since then.

      In short: it was secure for only some definitions of secure and for everything else DJB ignored the problem.

  3. Re:Impossible! by 1s44c · · Score: 5, Insightful

    It's open source, and has had years to mature...so many eyes on it that this couldn't possibly happen.

    We don't even know what is happening yet. Maybe it's just a DOS, maybe it's a potential exploit. What we do know is that no-one has any need to put recursive DNS servers on the internet unless they are running an ISP or a DNS service.

  4. A confusing summary on /., let me try to do better by Above · · Score: 5, Informative

    BIND is written by Internet Systems Consortium aka ISC, a non-profit that does various public benefit things for the Internet. The summary links to an alert from the Internet Storm Center aka ISC, a project of the SANS Technology Institute. There is no relation between these two ISC's, in this case the first authors the software, and the second tracks vulnerabilities. I'm sure by using a link to SANS many people on /. who are not familiar with these two ISC's will get them confused.

    The link in the summary also goes to a preliminary version of the advisory. The correct, full summary is available on Internet Systems Consortium's web site as CVE-2011-4313.

    I also think the characterization as a "0-day" isn't quite right. To me at least a 0-day issue is a bug that can exploited to do something, and that is used by bad-actors before the vendor is aware and able to fix the issue. In this case the bug simply crashes the server; there's no remote root or other exploit, and at this time there is no evidence of bad-actors using this bug at all. Rather it appears something interesting (unusual, perhaps put there intentionally) appeared in the DNS, and it triggered a bug in the software.

    Some historical context may help. BIND8, for those who used it, was a pile of poo. It had a huge number of security issues and other problems and was generally a nightmare for sysadmins. Many people stayed on BIND 4.9.x for a very long time because of the issues in BIND8. When ISC launched BIND9, they wanted to change this perception. The action relevant to this bug is that BIND9 was designed to be full of assertions and other checks in the code. The goal was to catch any badness early, and if it was uncorrectable crash in a predictable way. The thought was that crashing with a core dump where you can fix the problem is far better than running off with bad data that could eventually be used in some sort of remote-root exploit.

    This issue is sort of the payoff of that philosophy. Rather than taking this bad data and giving a remote hacker access to the machine BIND9 caught it with an assert, logs a useful message and core dumps. This is a big part of why 0-day leaves the wrong impression with me, "denial of service vector" seems to perhaps be a more accurate description. Sure, we could have a lively debate about if crashing is preferred or not, but I think most of the administrators who lived through BIND8 prefer the BIND9 procedures.

    Internet Software Consortium also offers support for BIND (and DHCP). I'm amazed how many people run large, production name servers on BIND yet don't have a cheap support contract. If you run BIND, rather than getting your alerts via /. look into a support contract so you get them directly from the vendor.

  5. Re:Open sores == fail by NoNonAlphaCharsHere · · Score: 5, Insightful

    I can see this is going to be a long thread full of trolls about open source, but the fact of the matter is that an application "crashing" (really ABENDing) due to an assertion failure is actually a sign of software doing what it was designed to do. Assert statements are used to check for "impossible" conditions, and have the program scream and die if one is found. So what we have here is a careful programmer's backstop doing its job.

  6. APK's monolithic hosts file by Culture20 · · Score: 5, Funny

    APK's monolithic hosts file is looking pretty good at the moment.

  7. Re:A confusing summary on /., let me try to do bet by surgen · · Score: 5, Interesting

    Thanks for the clear explanation.

    If you run BIND, rather than getting your alerts via /. look into a support contract so you get them directly from the vendor.

    Very true. Its funny, that this morning I had applied security patches to a debian stable box and thought "hmm, looks like BIND is getting fixed, wonder what thats about" before this even got posted to slashdot.

  8. Tip of the iceberg by mseeger · · Score: 4, Insightful

    The "assertion"-problem is only tip of the iceberg.

    If an assertion fails, this usually means that someone managed to make the code behave in an unintended way. Since the affect occurred simultaneously at several providers all over the world, this indicates a coordinated attack. The chances are real, someone managed to exploit a buffer overflow (or similar) in BIND.

    So we have to look seriously into the possibility that people have a way to execute code with the same permissions as BIND has.

    When i got the information this morning, this was an alert topic.

    Yours, Martin

    1. Re:Tip of the iceberg by kqs · · Score: 5, Informative

      The "assertion"-problem is only tip of the iceberg.

      If an assertion fails, this usually means that someone managed to make the code behave in an unintended way.

      Except that the assertion isn't the problem. The problem is that BIND allows bad data into its cache. The assertion detects this and crashes BIND before the bad data becomes an exploit.

      Now, there still may be a way to execute code using this method, but the assertion has alerted everyone to this problem so I expect this particular problem to be solved quickly. And thanks to the assertion-crashes, people will be forced to upgrade rather than running a vulnerable version for the next 5 years.

      I'd prefer software without bugs, but since that's impossible, I'll happily take BIND.

  9. etckeeper by Compaqt · · Score: 5, Informative

    By the way, another thing people who are wont to mess with their /etc should keep in mind is etckeeper. It versions your /etc, by default in bazaar, but it's also supposed to work with git, hg, etc. It has triggers set so every time you install something, it does an automatic checkin.

    You can also manual commits, too, along with a message.

    Good for people who want to know what the config files looked like when they were working a week ago.

    Click to install (Debian and friends)

    --
    I'm not a lawyer, but I play one on the Internet. Blog
  10. Re:Open resolvers by Short+Circuit · · Score: 4, Insightful

    More likely, the unusual TXT lookups were someone streaming IP over DNS.

    --
    tasks(723) drafts(105) languages(484) examples(29106)
  11. Re:Security tip of the day: Do not use BIND by Above · · Score: 4, Informative

    There has not been a single remote-root exploit in BIND9 since it was offered up to the world circa 2001. It was a complete rewrite with new goals, so taking BIND 4.x or BIND 8.x as examples isn't really relevant.

    ISC is also completely open about security issues, listing them all on the web site and registering them with the CVE Registry.

    As I stated in another post, the goal of BIND9 was use use various constructs (like assertions) to check data integrity, where possible on the fly and where not practical in a way that causes a core dump. That to fail safe was the best option, and crashing in a way the bug could be fixed was a positive. If you view the advisories against BIND9 you'll see that strategy has worked very well. Of course there's no reason not to lock any application in a VM, jail, chroot or whatever to get additional security, but I think the track record of BIND9 compared to most other major open source software is decent.

    BIND is also "full featured". Many of the folks here reference alternatives like NSD, tinyDNS, or Unbound which provide limited functionality compared to BIND. Obviously if you're willing to limit the functionality you limit the bug exposure, but that's true both if you use software that doesn't include the functionality but also if you disable that functionality in BIND. For instance the bug in question affects recursive resolvers only, if your BIND9 instance is an authority only configuration there is no exposure.

    I'm afraid most of BIND's bad reputation comes from BIND 4.x and BIND 8.x, both of which were quite bad (for different reasons). BIND9 was a departure, and now ISC is working on BIND 10, which should be yet another large leap forward.