A recent flaw in the BIND open-source software used for DNS servers allows denial-of-service attacks on both authoritative and recursive DNS servers, by constructing a flawed UDP packet that exploits an error in the handling of queries for TKEY records.
Dubbed as critical by the CVE-2015-5477 advisory, affected BIND servers include versions 9.1.0 up to 9.8.x, 9.9.0 up to 9.9.7-P1, and 9.10.0 up to 9.10.2-P2.
“An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit,” reads the advisory. “Both recursive and authoritative servers are vulnerable to this defect. Additionally, exposure is not prevented by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling, before checks enforcing those boundaries.”
Because DNS servers are a fundamental part of the internet infrastructure – converting domain names into numeric IP addresses – system administrators should plug the vulnerability by installing the latest BIND patch released by ISC.
“Almost all unpatched BIND servers are potentially vulnerable. We know of no configuration workarounds,” said ISC engineer Michael McNally. “Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then.”
The vulnerability hasreportedly been weaponized as part of a proof-of-concept, although no in-the-wild reports have been confirmed. Because patching is said to completely protect against the vulnerability, McNally believes it’s only a matter of time before real-world attacks occur.
“The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer,” wrote McNally. “I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind.”