LinuxQuestions.org - ISC BIND 9 Denial of Service Vulnerability

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - ISC BIND 9 Denial of Service Vulnerability (https://www.linuxquestions.org/questions/linux-security-4/isc-bind-9-denial-of-service-vulnerability-743586/)

ISC BIND 9 Denial of Service Vulnerability

NOTE: An exploit for this is in the wild.

Quote:

Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert.

This vulnerability affects all servers that are masters for one or more zones – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround.

ISC Security Advisory | US-CERT Vulnerability Note | CVE-2009-0696

This exploit affects all BIND 9 releases not just 9.4.x onward.

The BIND you get canned with your RHEL (and probably other distros) may be earlier than 9.4.x (for example it is 9.3.x on RHEL5).

RedHat released updates for the canned versions for RHEL3, RHEL4 and RHEL5 last night that backported the fix into these earlier versions.

Okay, time to unsticky this. :)