The Internet Systems Consortium issued an emergency security patch (CVE-2017-3135) to the BIND domain system, continue reading to learn more.
Dangerous Vulnerability in BIND Patched (CVE-2017-3135)
Dangers continue to spread, The Internet System Consortium has issued an emergency critical patch o the BIND domain name system (DNS) service. An issue has been identified which allows hackers to trigger a remote exploit which results in a system crash. As a consequence this can lead to network disruptions and even sabotage. BIND is the most popular solution that is used for running DNS services. It is an open-source software that originally was developed at the University of California at Berkeley.
BIND itself is made of three main parts:
-
Domain Name Resolver – This component resolves any questions directed towards the service by sending them to the appropriate servers. The resolver handles any relevant traffic and routes the messages between the parties.
-
Domain Name Authority server – This component answers any requests from the resolvers.
-
Tools – All additional utilities such as diagnostic and operational tools.
The following BIND service versions are considered vulnerable:
-
9.8.8
-
9.9.3-S1
-
9.9.3
-
9.9.10b1
-
9.10.0
-
9.10.5b1
-
9.11.0
The issue has been tracked under the CVE-2017-3135 advisory. In essence the problem lies in a incosistent state after a query processing. This triggers an INSIST assertion failure or an ttempt to read a NULL pointer. As a result of the INSIST assertion failure an abort operation can be caused. This means that remote hackers can cause process crashes. The vulnerability affects both the DNS64 and RPZ functions that are part of BIND.
-
DNS64 is a function mechanism that allows the synthesis of AAAA records from A records. It’s used mainly to allow Ipv6-only hosts to receive Ipv6 addresses that are proxied to Ipv4 clients.
-
The RPZ function is used by BIND to recursively resolve hosts and allows for resolution handling of DNS information collections.
Depending on the running versions the administrators can apply a patch which amends the problem. The other workaround is to disable the DNS64 or RPZ modules from the configuration options.