ISC resolves trio of BIND 9 denial-of-service vulnerabilities

DNS software unbound from crash bugs

The Internet Systems Consortium (ISC) has released a series of security updates that address vulnerabilities in BIND 9, the industry standard Domain Name System (DNS) software.

First up is CVE-2018-5743 – a high severity bug that drowns out communications by allowing an unsupportable number of clients to chat on a channel at the same time.

“By design, BIND is intended to limit the number of TCP clients that can be connected at any given time,” reads the security advisory.

“Unfortunately, the code which was intended to limit the number of simultaneous connections contains an error which can be exploited to grow the number of simultaneous connections beyond this limit.”

According to ISC, by exploiting the failure to limit simultaneous TCP connections, an attacker could “deliberately exhaust the pool of file descriptors available”. This could potentially affect network connections and the management of key files.

Moving on, CVE-2019-6468 is a medium severity flaw impacting BIND Supported Preview Edition – a special edition of the networking software.

ISC explains that an error in the nxdomain-redirect feature can occur in versions that support EDNS Client Subnet (ECS) features.

“In those versions which have ECS support, enabling nxdomain-redirect is likely to lead to BIND exiting due to assertion failure,” the advisory reads.

Last on the list is CVE-2019-6467. This vulnerability also relates to the nxdomain-redirect feature, although ISC said the bug is something of an edge case.

“A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally,” the consortium said.

“An attacker who can deliberately trigger the condition on a server with a vulnerable configuration can cause BIND to exit, denying service to other clients.”

Users and administrators are advised to review each of the security advisories for a detailed breakdown of the vulnerabilities and a complete list of impacted versions.