Potential 0-day on Bind 9

Published: 2011-11-16
Last Updated: 2011-11-17 12:58:47 UTC
by Jason Lam (Version: 1)
9 comment(s)

Internet System Consortium has published an alert earlier as they are investigating a potential vulnerability on Bind 9. There are reports of the DNS server software crashing while generating log entry - "INSIST(! dns_rdataset_isassociated(sigrdataset))" The details on this is rather limited at this point, aside from DoS effect, it's unknown whether code execution is possible at this point. 

Reference - http://www.isc.org/software/bind/advisories/cve-2011-tbd

Update:

ISC would appreciate network captures of active attacks against this BIND vulnerabiliy. Please submit to us via Contact Form.

Update 2:

Patches are now available:
http://www.isc.org/software/bind
https://www.isc.org/software/bind/advisories/cve-2011-4313

Update 3:

There have been a number of reports of people being affected.  If you are one and you have some packets to share it would be appreciated if you can share them. We'll  anonymise any identifying info.

Thanks

Mark

Update 4:

Several honeypots have been hit with unsolicited recursive DNS queries. Whilst the query itself is normal, it is possible that this is part of a scan looking for servers that may be vulnerable.  If you happen to be monitoring your DNS and you notice a recursive request let us know.  if you can share information that would be great. Ideally a capture, but the source and the domain requested will be enough for now.  

Thanks  

Mark 

Keywords: 0day bind 9 DNS
9 comment(s)

Comments

There's a targeted attack going on right now at various .edu's across the country...so far, at least 35 have been hit and taken down briefly. Intelligence indicates this is "practice" for a bigger attack, so I have been told by our IT gurus above me.
Do you have some data to back that up?
Hello Wes,

I have been getting this information from our campus IT department, which has been quoting a "reliable listserv", but they didn't elaborate and right now, they're too busy to talk. However, isc.org is noting "organizations across the Internet" are being hit. Furthermore, I posted the info on a weather users list, and immediately got a call from one of the head IT guys at the National Weather Service. They're noting Google was starting to have DNS issues, and wondered if I had any further info. Explaining I'm not a DNS person, and not having any info to the sort, I told him that I didn't know, but the NWS is very concerned about this. I pointed them to the patch now available at isc.org, at which point he thanked me, and they're going to look at getting their DNS servers patched right away.
As a P.S., our IT guys sent out a message indicating that between last night and this morning, 89 universities were targeted, experiencing "significant to complete loss" of DNS service and resulting network outages. This again from a "reliable listserv" which I don't know to which they are referring. In any case, our primary campus DNS server is going completely down for 30 minutes tonight to throw that patch on.
Definitely experienced this problem at $WORKPLACE (a US .edu) last night.

I have also heard reports of DNS issues within Amazon EC2, though no idea if that's also related. Thus far, knock wood, my personal machines haven't experienced issues.
- http://status.aws.amazon.com/
Status History - Americas
Nov 15: ... resolved... DNS resolution errors... US-WEST-1 region
Nov 16: ... resolved... Delayed EC2, EBS, and RDS Metrics in US-WEST-1
.
A reader has shared a press-release from infoblox announcing that patches are available for their products.

http://www.infoblox.com/en/news/press-releases/2011/infoblox-customers-protected-against-recent-dns-vulnerability.html

Some added info... http://threatpost.com/en_us/blogs/new-flaw-bind-causing-server-crashes-111611
When so many far more secure and stable alternatives exist, why does anyone still use bind?

Diary Archives