Following disclosure on a Debian bug-tracking system, the ISC has released urgent patches to their BIND DNS name server code. This issue has been classified as critical by most security organisations and is known as CVE-2009-0696 and CERT VU#725188.

Exploitation of this vulnerability would result in a crash of the DNS server, and could lead to a Denial Of Service (DOS). Analysis by Network Box Security Response, and others, indicates that this is not currently exploitable to gain remote access. However, the attack is possible against vulnerable ISC BIND DNS servers hosting MASTER zones (ie; slave zone only DNS servers are not affected by this).

Research into the issue by Network Box Security Response engineers has shown that the attack is at such a low level that the vulnerability occurs before the rndc authentication layer. This means that the attacker does not need to know the rndc key name or secret value in order to exploit this (although they would need to know that to remotely change a DNS record). The attacker does need to know the FQDN of a master zone hosted by the vulnerable name server, as well as a record to update in that domain. The attack is exploitable over the standard UDP port 53.

Network Box Security Response has already released an out-of-cycle patch to provide protection against this vulnerability. We have also released optional protection instructions for blocking these dynamic DNS update packets from passing through a Network Box device (in order to protect customer DNS servers). If customers are concerned about this issue, we recommend them to contact their local Network Box support NOC for assistance.

Back