Several current versions of the BIND open-source DNS software contain a serious memory leak that an attacker could use to knock a vulnerable server offline.
The vulnerability is in BIND 9 and the Internet Software Consortium, which maintains BIND, has released updates for all of the affected versions. The bug lies in the way that BIND processes some specific messages and handles memory allocation during that operation. An attacker could exploit the vulnerability by sending a specially crafted packet to a vulnerable server, which would trigger the memory leak.
“By exploiting this condition, an attacker can potentially cause named's memory use to grow without bounds until all memory available to the process is exhausted. Typically a server process is limited as to the amount of memory it can use but if the named process is not limited by the operating system all free memory on the server could be exhausted,” the BIND advisory says.
This vulnerability affects versions 9.10.7 through 9.10.8-P1, 9.11.3 through 9.11.5-P1, 9.12.0 through 9.12.3-P1, and 9.10.7-S1 through 9.11.5-S3 of the Supported Preview Edition.
The ISC also is warning about two other vulnerabilities present in various versions of BIND 9. Neither one is as serious as the memory leak in named, but both can be exploited remotely. The first flaw is in the managed-keys feature of BIND, which allows a BIND DNS resolver to maintain the keys that trust anchors use as part of their DNSSEC validation.
“Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm,” the BIND advisory says.
The good news for BIND operators, though, is that it’s not very likely that an attacker would be able to get to this flaw.
“This particular vulnerability would be very difficult for an arbitrary attacker to use because it requires an operator to have BIND configured to use a trust anchor managed by the attacker. However, if successfully exercised, the defect will cause named to deliberately exit after encountering an assertion failure. It is more likely, perhaps, that this bug could be encountered accidentally, as not all versions of BIND support the same set of cryptographic algorithms,” the advisory says.
“Specifically, recent branches of BIND have begun deliberately removing support for cryptographic algorithms that are now deprecated (for example because they are no longer considered sufficiently secure.) This vulnerability could be encountered if a resolver running a version of BIND which has removed support for deprecated algorithms is configured to use a trust anchor which elects to change algorithm types to one of those deprecated algorithms.”
The other vulnerability that ISC has patched this week is an issue with the way that BIND handles some zone transfers. A zone transfer is a method for copying a DNS database across a set of servers. The bug arises because some of the controls that BIND has in place to deal with some zone transfers aren’t effective.
“A client exercising this defect can request and receive a zone transfer of a DLZ even when not permitted to do so by the allow-transfer ACL,” BIND’s advisory says.
ISC has released updated versions to fix each of these vulnerabilities.