ICS patches three vulnerabilities in BIND

News by Doug Olenick

Exploit could have caused denial of service

The Internet Systems Consortium (ISC) has released security updates for its Berkeley Internet Name Domain (BIND), fixing vulnerabilities that if exploited could cause a denial of service condition.

The first issue, the high-severity CVE-2018-5743, addresses a flaw that does not limit the number of TCP clients that can be connected at any given time. The scenario can be created because the number of TCP connections is changeable and, if unset, is designed to default to the conservative value for the server. However, the code which was intended to limit the number of simultaneous connections contains an error which can be exploited to grow the number of simultaneous connections beyond this limit, creating a DoS condition.

Versions affected are BIND 9.9.0 to 9.10.8-P1, 9.11.0 to 9.11.6, 9.12.0 -to 9.12.4 and 9.14.0, and BIND 9 Supported Preview Edition versions 9.9.3-S1 to 9.11.5-S3 and 9.11.5-S5. Versions 9.13.0 to 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated.

The medium-rated CVE-2019-6467, covering BIND 9.12.0 to 9.12.4, 9.14.0 and all releases in the 9.13 development branch, covers "a programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally." A successful exploit would see an attacker deliberately trigger the condition forcing BIND to exit thus denying service to others.

CVE-2019-6468, a medium-rated vulnerability, impacts BIND Supported Preview Edition versions 9.10.5-S1 to 9.11.5-S5, and centres on an error in the nxdomain-redirect feature in versions that support EDNS Client Subnet features. In these versions, enabling nxdomain-redirect is likely to lead to BIND exiting due to an assertion failure.

ICS is recommending all users update to the latest version of BIND.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike