Post

DNS Oops. Crashing bind from remote.

It’s been a while since my last post - and this one is a doozey.

So Bind is one of the most popular DNS servers on the planet. Just about everyone runs it. So when news breaks that a specially crafted request can cause the named process to exit, then a problem is presented.

Enter CVE-2015-5477

The official report says:

named in ISC BIND 9.x before 9.9.7-P2 and 9.10.x before 9.10.2-P3 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries.

This doesn’t really convey the severity of the issue. Thankfully, the ISC elaborate more. In it, they say:

The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer. I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind. Please take steps to patch or download a secure version immediately.   This bug is designated “Critical” and it deserves that designation.

Essentially, “You’re screwed. Upgrade now”.

If you’re a system admin, and you’re reading this, check your bind version now, make a coffee, then dig in for the long haul.

This post is licensed under CC BY 4.0 by the author.