BIND 9: DNS Server Software Has FlawsUsers Urged to Take Immediate Mitigation Action
The developer of Berkeley Internet Name Domain, or BIND 9, an open-source implementation of domain name systems, is advising users to mitigate three vulnerabilities that attackers could remotely exploit to cause systems to crash or become inaccessible.
In an alert, the Internet Systems Consortium, which developed BIND 9, says the vulnerabilities are present in its DNS redirection feature, the protocol that facilitates secure exchange of keys, and a zone transfer protocol that replicates across a set of DNS servers for content transfer.
The consortium says that, so far, it has not detected any exploits of the flaws in its DNS server software. It has released patches for two of the vulnerabilities, and the third requires users to upgrade to the latest version. BIND 9 supports Linux, NetBSD, FreeBSD, OpenBSD, macOS, Windows and Solaris operating systems.
The three BIND 9 vulnerabilities are:
- CVE-2021-25216: This is a highly critical vulnerability that affects the GSS-TSIG protocol, which is used for secure exchange of keys and verifies the authenticity of communications between parties on a network. In a system that uses BIND’s default configuration setting, hackers could exploit this vulnerability to enable a buffer overflow attack, causing a server to crash. In some cases, an exploit could enable a remote code execution so attackers could carry out multiple attacks, ISC says. The consortium has released an updated version that mitigates the issue.
- CVE-2021-25215: This is a highly severe vulnerability present in DNAME, which provides redirection for DNS. The vulnerability causes repetition of tasks, which can then cause the BIND process to terminate as it would if it had suffered a denial-of-service attack. ISC has issued a patch.
- CVE-2021-25214: This is a medium-severity flaw that affects multiple BIND versions. The flaw is present in incremental zone transfers or IXFR, and arises when the vulnerable BIND version receives malformed IXFR, causing it to remove important information about a domain or zone, such as the email address of the administrator. Exploiting this would enable a DOS attack, causing the process underway to terminate. The vulnerability can be mitigated by disabling IXFR and patching.
The security firm Black Lotus Labs found last year that in other DNS attacks, the attackers were using unsecured DNS protocols for communication between infected POS devices and their command-and-control servers to exfiltrate data (see: POS Malware Using DNS to Steal Payment Card Data).
Another report by a group of researchers from the University of California at Riverside and Tsinghua University in Beijing identified a new type of DNS cache poisoning attack called SAD DNS, which is used in spoofing attacks (see: Brace for DNS Spoofing: Cache Poisoning Flaws Discovered).
Recently, Forescout Research Labs and the Israeli security firm JSOF found nine DNS vulnerabilities affecting four TCP/IP stacks that, if exploited, could lead to remote code execution or denial-of-service attacks on millions of devices (see: Millions of Devices Potentially Vulnerable to DNS Flaws).
Due to rising DNS attacks, in March, the U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency released new guidance on how to choose and deploy a Protective Domain Name System service to strengthen security (see: Tips on Selecting a Protective DNS Service).