A patch is available to fix up a remotely exploitable denial of service (DoS) vulnerability in BIND 9, the software standard for implementing domain name system protocols online, said developers at the Internet Systems Consortium (ISC), which published a security advisory on the high priority issue.
There is a defect in BIND 9 that could potentially give a remote attacker the ability to crash recursive resolvers with a RUNTIME_CHECK error in resolver.c.
If an attacker were to send a query for a record in a specially malformed zone to the recursive server, it could potentially cause BIND 9 to exit with fatal RUNTIME_CHECK. In other words, triggering the defect here has the impact of causing a service denial to recursive DNS clients that use that particular server.
The bug affects BIND 9.6-ESV-R9, 9.8.5, and 9.9.3 but does not affect versions 9.6.0 through 9.6-ESV-R8, 9.8.0 through 9.8.4-P2, and 9.9.0 through 9.9.2-P2. Click here to review the advisory.
The advisory goes on to note other versions of BIND do not suffer from this vulnerability but that they are also no longer supported by the ISC and may contain any number of other unfixed security bugs.
The ISC is not aware of an instance where attackers exploited this vulnerability in the wild. They are classifying the issue as a type II vulnerability, meaning there has been a public disclosure because it was on a mailing list with enough detail that an attacker could potentially reverse engineer an exploit for the vulnerability.
No workaround exists, but a new version of BIND provides a solution for the problem. The ISC is recommending BIND users upgrade to the patched release most closely related to their current version of BIND.
In March, the ISC shipped a security patch that fixed a vulnerability that could have allowed attackers to not only cause DoS conditions on affected servers but also compromise other software on the machines. Up to the point of the patch, the critically rated flaw affected millions of BIND servers.