It came as a shock. The most widely used DNS software BIND contain a critical security flaw, which could easily lead to denial-of-service attack. Read details inside and how you could protect yourself.
Whats The Vulnerability Actually?
The libdns library which is part of the BIND software handles the regular expressions in wrong way. Due to this vulnerability its possible to send special request with regular expression, and server will eventually end up running that process as “named” daemon, which will lead excessive memory usage by related process, and due to this memory leakage server will start performing sluggish and eventually whole system could crash.
How It Got Discovered?
A User named Daniel Franke sent an message to the Full Disclosure security mailing list on Wednesday stating “It took me approximately ten minutes of work to go from reading the ISC advisory for the first time to developing a working exploit. I didn’t even have to write any code to do it, unless you count regexes [regular expressions] or BIND zone files as code. It probably will not be long before someone else takes the same steps and this bug starts getting exploited in the wild.“.
Jeff Wright, manager of quality assurance at the ISC, acknowledged the vulnerability. He said
ISC would like to point out that the vector identified by Mr. Franke is not the only one possible, and that operators of *ANY* recursive *OR* authoritative nameservers running an unpatched installation of an affected version of BIND should consider themselves vulnerable to this security issue,” Wright said. “We wish, however, to express agreement with the main point of Mr. Franke’s comment, which is that the required complexity of the exploit for this vulnerability is not high, and immediate action is recommended to ensure your nameservers are not at risk.
Which Version Is Affected?
BIND versions 9.7.x, 9.8.0 up to 9.8.5b1 and 9.9.0 up to 9.9.3b1 for UNIX-like systems are vulnerable. Windows versions of BIND are not affected. Here you have to note BIND is the by far most used DNS software mainly for Linux and Mac server.
How To Protect Your Server?
The easiest solution will be disable support for regular expressions. BIND versions 9.8.4-P2 and 9.9.2-P2 has been already released which have regular expression support disabled by default. BIND 9.7.x is no longer supported and won’t receive an update. So to stay safe you should update your BIND to versions 9.8.4-P2 or 9.9.2-P2.
Manual solution as per security advisory
# After configuring BIND features as desired using the configure script in the top level source directory, manually edit the “config.h” header file that was produced by the configure script.
# Locate the line that reads “#define HAVE_REGEX_H 1” and replace the contents of that line with “#undef HAVE_REGEX_H“.
# Run “make clean” to remove any previously compiled object files from the BIND 9 source directory, then proceed to make and install BIND normally.
So far there is no active exploits report.
Always update your server and conputer software to stay safe.