Critical vulnerabilities are often leveraged in attack scenarios, varying from denial-of-service to malware infiltration cases. A serious vulnerability was recently patched, the kind that would allow attackers to carry out denial-of-service attacks via the Berkeley Internet Name Domain (BIND) exploits. The vulnerability in question is known under CVE-2016-2776, and was discovered during internal testing by the ISC.
What Is BIND?
BIND is open source software that implements the Domain Name System (DNS) protocols for the Internet. It is a reference implementation of those protocols, but it is also production-grade software, suitable for use in high-volume and high-reliability applications. The name BIND stands for “Berkeley Internet Name Domain”, because the software originated in the early 1980s at the University of California at Berkeley.
In addition, BIND is also known as the standard for Linux and other Unix-based systems. This means that a flaw can impact a large number of servers and applications. As already stated, the BIND vulnerability could be leveraged in DoS attacks where various organizations can be targeted. The attacks could lead to disabling, shutting down, or disrupting a service, network, or website.
Researchers say that active attacks were reported on October 5, shortly after a proof-of-concept was released on October 1. In addition, the flaws affect BIND9 versions including 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3.
More about CVE-2016-2776
The vulnerability can be activated when a DNS server constructs a response to a forged query where the response size crosses the default DNS response size (512). Apparently, ISC has already fixed two vulnerable functions (dns_message_renderbegin () and dns_message_rendersection() ) to fix the vulnerability.
As explained by TrendMicro, when a DNS server constructs a response for a DNS Query, it reserves the space in the response buffer (which is 512 in size, by default), it will increment the msg->reserved by the size required for Answer RR. The size also adds up in msg->reserved size, which would be the same if the response buffer has other Resource Records.
Before patching, the server does not take fixed 12-byte DNS headers into consideration, which also adds to the response traffic after rendering the Resource Records from Query through function dns_message_rendersection(). So if the DNS response(r.length) traffic is less than 512 bytes (msg->reserved), the function will return true, but adding the fixed 12-byte header will cause the service to terminate if it exceeds the fixed reserved size of 512 bytes.
The patch allows servers to decrease the DNS header length from the total response length by 12 bytes. Then it compares it to the reserved buffer size to provide correct calculations for response size.
- BIND 9 version 9.9.9-P3
- BIND 9 version 9.10.4-P3
- BIND 9 version 9.11.0rc3
- BIND 9 version 9.9.9-S5