A flaw reported in the handling of regular expressions means most DNS servers running on Linux or Unix are vulnerable to denial-of-service attacks, according to security experts
A “critical” security flaw reported in BIND, the most widely used DNS server software, could allow attackers to crash domain name servers, according to the Internet Systems Consortium (ISC), which maintains BIND.
The flaw is particularly noteworthy in light of a massive distributed denial-of-service (DDoS) attack carried out recently against anti-spam organisation Spamhaus, said to be the largest ever recorded. The culprits relied on an increasingly popular technique called DNS reflection that makes use of DNS servers to amplify the effect of an attack.
Denial of service
The flaw affects the version of BIND used on Linux and Unix systems, but doesn’t affect the Windows version. BIND is the de facto standard DNS server software on Unix. Other programs using BIND’s libdns library are also potentially vulnerable to the same attack.
A bug in the way regular expressions are handled by BIND’s libdns library could allow an attacker to cause excessive memory consumption in the name daemon process, known as “named”, so that the process uses all available memory on the affected machine. This could cause BIND to crash, which could also affect other services running on the same server.
“A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server,” ISC said in a security advisory. “This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine.”
ISC said versions 9.7.x, 9.8.0 to 9.8.5b1 and 9.9.0 to 9.9.3b1 are affected. Versions earlier than BIND 9.7.0 are not affected, nor is BIND 10, but ISC remarked that BIND 10 is not feature-complete and may not be suitable as a replacement for earlier versions.
Patched versions of BIND called 9.9.2-P2 and 9.8.4-P2 have been released, eliminating the flaw by disabling support for regular expressions, while ISC said a workaround is for administrators to manually recompile BIND without regular expression support. BIND 9.7 is no longer being supported and will not be patched, but the re-compilation technique is also effective on this version, ISC said.
Ease of exploitation
While no exploit is currently known to be available, ISC said this flaw would not be difficult for an attacker to make use of, and urged system administrators to patch their systems immediately.
On the Full Disclosure mailing list last week, a programmer named Daniel Franke said he had developed an exploit in “approximately ten minutes”.
“I didn’t even have to write any code to do it, unless you count regexes [regular expressions] or BIND zone files as code,” Franke wrote. “It probably will not be long before someone else takes the same steps and this bug starts getting exploited in the wild.”
“This… stands out from most other BIND vulnerabilities due to its ease of exploitation,” Franke added.
ISC manager of quality Jeff Wright responded that Franke’s method of exploitation is only one of many that attackers could use to attack affeted DNS servers.
“The vector identified by Mr. Franke is not the only one possible,” Wright wrote on Full Disclosure. “Operators of any recursive or authoritative nameservers running an unpatched installation of an affected version of BIND should consider themselves vulnerable to this security issue.”
Are you a security pro? Try our quiz!