The Internet Systems Consortium (ISC) announced the presence of a serious flaw in the BIND DNS software that can be exploited by remote attackers to cause a denial-of-service (DoS) condition.

The vulnerability tracked as CVE-2018-5740 was discovered by Tony Finch of the University of Cambridge. The flaw has been assigned a CVSS score of 7.5, the expert pointed out that the flaw only affects servers that have on a feature called “deny-answer-aliases” enabled. The good news is that this specific feature is disabled by default.

The “deny-answer-aliases” feature is was implemented to help recursive server operators protect users against DNS rebinding attacks. The DNS rebinding arracks allow any website to create a dns name that they are authorized to communicate with, and then make it resolve to localhost. A remote hacker to abuse the targeted user’s browser to directly connect with hosts on the local network and exploit flaws in these systems.

“deny-answer-aliases” is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers.  However, a defect in this feature makes it easy, when the feature is in use, to experience an INSIST assertion failure in name.c.” states the security advisory published by the ISC.

“Accidental or deliberate triggering of this defect will cause an INSIST assertion failure in named, causing the named process to stop execution and resulting in denial of service to clients.  Only servers which have explicitly enabled the “deny-answer-aliases” feature are at risk and disabling the feature prevents exploitation.”

The vulnerability affects BIND versions 9.7.0 through 9.8.8, 9.9.0 through 9.9.13, 9.10.0 through 9.10.8, 9.11.0 through 9.11.4, 9.12.0 through 9.12.2, and 9.13.0 through 9.13.2.

The ISC has issued a security patch that is implemented in versions 9.9.13-P1, 9.10.8-P1, 9.11.4-P1 and 9.12.2-P1. The organization also provided a workaround that consists in disabling the “deny-answer-aliases” feature.

“Most operators will not need to make any changes unless they are using the “deny-answer-aliases” feature (which is described in the BIND 9 Adminstrator Reference Manual section 6.2.)  “deny-answer-aliases” is off by default; only configurations which explicitly enable it can be affected by this defect.” continues the advisory.

“If you are using “deny-answer-aliases”, upgrade to the patched release most closely related to your current version of BIND.

• 9.9.13-P1
• 9.10.8-P1
• 9.11.4-P1
• 9.12.2-P1″

At the time, there is no news about the exploitation of the flaw in attacks in the wild.

Pierluigi Paganini

(Security Affairs – BIND DNS software, DoS)

[adrotate banner=”5″]

[adrotate banner=”13″]