This article is more than 1 year old
ISC squishes BIND packet-of-death bugs
DNS servers are crashable until they're patched
BIND administrators, get patching: there are three irritating flaws you need to splat.
The denial-of-service vulnerabilities in question are CVE-2016-9131, CVE-2016-9147, and CVE-2016-9444.
Common to all three is that they're exploitable denial-of-service bugs that predominantly affect BIND-based DNS servers running in recursive mode (that is, if the DNS server doesn't have an answer locally, it passes the query upstream).
In CVE-2016-9131, if a BIND recursive server can be crashed by a malformed query response. The vulnerability note says the “combination of properties” that triggers the bug shouldn't occur in normal traffic, but an attacker could engineer a scenario that breaks the target.
In CVE-2016-9147, BIND can't handle query responses containing inconsistent DNSSEC information (DNSSEC is the standard that applies security to the domain name system): “an error in processing malformed query responses that contain DNSSEC-related RRsets that are inconsistent with other RRsets in the same query response can trigger an assertion failure.”
Finally, in CVE-2016-9444, an attacker could send a malformed answer containing a DS (delegation signer) record to crash the victim.
The Internet Systems Consortium has issued fixes here. ®
Biting the hand that feeds IT
