Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: BIND 9 Update fixing CVE-2013-3919 - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
BIND 9 Update fixing CVE-2013-3919
Today BIND9 recevied an update fixing a "recursive resolver with a RUNTIME_CHECK error in resolver.c" [1] Affected versions are BIND 9.6-ESV-R9, 9.8.5, and 9.9.3. The rated CVSS on this one is 7.8 [1,2]
 
To quote isc.org:
 
"At the time of this advisory no intentional exploitation of this bug has been observed in the wild. However, the existence of the issue has been disclosed on an open mailing list with enough accompanying detail to reverse engineer an attack and ISC is therefore treating this as a Type II (publicly disclosed) vulnerability, in accordance with our Phased Disclosure Process."
 
It it is time to review those BIND9 servers and start the process of patching.
 
[1] https://kb.isc.org/article/AA-00967
[2] http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Richard Porter

--- ISC Handler on Duty

Richard

162 Posts
ISC Handler
We've seen a dramatic up tick in Bind/DNS version attempts. They usually come from the same IP addresses, repeatedly. This has been going on for about the last 3-4 days. Any one else seeing similar traffic? I'm wondering if it is related.
Anonymous
Beave! I just came here looking for hints about the same thing:
21x from 117.135.144.125
20x from 222.186.26.115
19x from 60.28.246.143

Since DNS is a stateless protocol, wouldn't it be easier to just try an exploit than to do a version check first?

I can't imagine CVE-2013-3919 (a mere DoS) being all that interesting to someone doing widespread scans - you would usually have specific target for that - so maybe this relates to something older?
Steven C.

171 Posts

Sign Up for Free or Log In to start participating in the conversation!