Security news that informs and inspires

Serious DoS Bug Patched in BIND 9

By

Several recent versions of the BIND name server are vulnerable to a remotely exploitable buffer overflow flaw that can cause the server to crash repeatedly, resulting in a denial of service. The vulnerability, along with several other less-serious ones, have been fixed in updated versions of BIND.

The DoS vulnerability (CVE-2020-8620) affects BIND 9.16.1 through 9.17.1 and it’s easily exploitable without any authentication. The bug doesn’t allow remote code execution or any privileged access to the BIND server, but could be used to knock the target server offline.

“An assertion failure exists within the Internet Systems Consortium's BIND server, versions 9.16.1 through 9.17.1 when processing TCP traffic via the libuv library. Due to a length specified in a callback for the library, flooding the server's TCP port used for larger DNS requests (AXFR) can cause the libuv library to pass a length to the server which will violate an assertion check in the server's verifications,” an advisory on the vulnerability by Emanuel Almeida of Cisco Systems, who discovered the vulnerability, says.

“This assertion check will terminate the service resulting in a denial of service condition. An attacker can flood the port with unauthenticated packets in order to trigger this vulnerability.”

BIND is the most widely deployed DNS name server on the Internet and is used in a huge variety of organizations, including enterprises, government agencies, and others. The Internet Systems Consortium, which maintains BIND, has released versions 9.16.6 and 9.17.4 to fix this issue and said it is not aware of any active exploits against the vulnerability.

Those new versions of BIND also contain patches for several other vulnerabilities, two of which can be used to crash a target server. Those two vulnerabilities are similar, but have different attack vectors. One of the flaws (CVE-2020-8622) can be exploited in two different ways, but with the end result in both cases being that the server exits.

“An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit,” the BIND advisory says.

“Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.”

The other vulnerability only affects BIND servers that are configured with both the “forward first” and QNAME minimization options enabled.

“While query forwarding and QNAME minimization are mutually incompatible, BIND did sometimes allow QNAME minimization when continuing with recursion after 'forward first' did not result in an answer. In these cases the data used by QNAME minimization might be inconsistent, leading to an assertion failure, causing the server to exit.” the advisory says.