BIND is used by servers for translating human-friendly domain names into IP addresses. This vulnerability could be exploited by a lone hacker to bring down swaths of the Internet.
The problem affects all the major versions of the software (9.1.0 to 9.8.x, 9.9.0 to 9.9.7-P1, and 9.10.0 to 9.10.2-P2), and it’s related to the way that Bind handles the queries for the key records.
The flaw can be exploited by sending a malformed packet to the vulnerable server, which when receives it will crash.
We don’t know if the flaw is being exploited in the wild, but the bug wasn’t yet disclosed, since its waiting for a fix.
The CEO of Errata Security (a penetration testing firm) Rob Graham reviewed the source code of Bind and released an advice to Bind developers:
“BIND9 is the oldest and most popular DNS server. Today, they announced a DoS vulnerability was announced that would crash the server with a simply crafted query. I could use my “masscan” tool to blanket the Internet with those packets and crash all publicly facing BIND9 DNS servers in about an hour. A single vuln doesn’t mean much, but if you look at the recent BIND9 vulns, you see a pattern forming. BIND9 has lots of problems—problems that critical infrastructure software should not have.
Its biggest problem is that it has too many features. It attempts to implement every possible DNS feature known to man, few of which are needed on publicly facing servers. Today’s bug was in the rarely used “TKEY” feature, for example. DNS servers exposed to the public should have the minimum number of features—the server priding itself on having the maximum number of features is automatically disqualified. “
The experts consider the flaw in Bind a critical security issue because it affects the Internet’s core. Graham always scans the Internet searching for major issues and evaluating their impact. The expert warns that even if Bind developers can fix it, the principal problem with BIND is related to languages used for the development (C and C++). Security weaknesses come with those programming languages, changing them in this phase developing the software with a new language from scratch is time-consuming..
“The point I’m trying to make here is that BIND9 should not be exposed to the public. It has code problems that should be unacceptable in this day and age of cybersecurity. Even if it were written perfectly, it has far too many features to be trustworthy. Its feature-richness makes it a great hidden master, it’s just all those feature get in the way of it being a simple authoritative slave server, or a simple resolver. They shouldn’t rewrite it from scratch, but if they did, they should choose a safe language and not use C/C++.” States the advisory.
Edited by Pierluigi Paganini
(Security Affairs – BIND, hacking)