Number: IRCNE2015072585
Date: 2015/07/30
According to “zdnet”, BIND operators released new versions of the DNS protocol software overnight to patch a critical vulnerability which can be exploited for use in denial-of-service cyberattacks.
Lead investigator Michael McNally from the Internet Systems Consortium (ISC) said in a security advisory the bug, CVE-2015-5477, is a critical issue which can allow hijackers to send malicious packets to knock out email systems, websites and other online services.
The advisory says the bug, awarded a CVSS score of 7.8, could impact on large swathes of the internet and is caused by "an error in the handling of [transaction key records] TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit."
BIND 9 from BIND 9.1.0 through BIND 9.9.7-P1 and BIND 9.10.2-P2 are all vulnerable to the exploit.
According to McNally, the ISC knows of no configuration workarounds to protect against exploitation -- the only way to prevent problems is to patch vulnerable BIND servers. Screening offensive packets with firewalls is "likely to be difficult or impossible," McNally says, as devices may not understand DNS at the protocol level, and "may be problematic even then."
- 6