Critical Flaw in Bind9 Software Can Kill DNS Servers
A freshly-discovered flaw in the Berkley Internet Name Daemon (BIND) could allow an attacker to bring the DNS server to a grinding halt through the use of regular expressions.
The vulnerability is known as CVE-2013-2266 and affects Linux and Unix versions of BIND from 9.7.x, 9.8.0 to 9.8.5b1 and 9.9.0 to 9.9.3b1, but not similar versions running on Windows. When successfully exploited, the named process starts eating up computer memory until it runs out and the system crashes, along with other services running on the same server.
“Programs using the libdns library from affected versions of BIND are also potentially vulnerable to exploitation of this bug if they can be forced to accept input which triggers the condition. Tools which are linked against libdns (e.g. dig) should also be rebuilt or upgraded, even if named is not being used,” reads the advisory posted by the Internet Systems Consortium.
BIND9 is the DNS server software maintained by the Internet Systems Consortium (ISC). It deals with domain name resolution – the conversion of domain names such as bitdefender.com into machine-readable formats (IP addresses) such as 220.127.116.11. It has a huge market share (over 75% of the world’s DNS servers are running BIND) and chances are that your computer used a BIND DNS server to take you to this page, so successful exploitation of your DNS server would render you unable to access web pages and services you are regularly using.
If you are a DNS server admin running a vulnerable version of BIND, you should update immediately to version 9.9.2-P2, which is available on the ISC site.