|CERT-In Vulnerability Note
Denial of Service Vulnerability in ISC BIND
Original Issue Date:December 21, 2015
Severity Rating: MEDIUM
- ISC BIND versions 9.9.8 prior to 9.9.8-P1
- ISC BIND versions 9.9.8-S1 prior to 9.9.8-S2
- ISC BIND version 9.10.3 prior to 9.10.3-P1
- ISC BIND version 9.0.x prior to 9.9.8
- ISC BIND version 9.10.0 prior to 9.10.3
- ISC BIND version 9.9.7b1 & rc1, 9.10.2b1 & rc1
Multiple vulnerabilities have been reported in ISC BIND that could allow a remote attacker to cause the targeted service to terminate resulting in Denial of Service conditions.
1. Malformed class attribute trigger denial of service vulnerability
This vulnerability exists in BIND due to parsing of malformed class attribute which can trigger an assertion failure in db.c. A remote attacker could exploit this vulnerability with a specially crafted class attribute that can trigger a parsing error in db.c. Successful exploitation of this vulnerability could result in assertion failure of named service to crash.
2. A Race Condition trigger denial of service vulnerability
This vulnerability exists in BIND due to a race condition while handling socket errors that can lead to an assertion failure in resolver.c. A remote attacker could exploit this vulnerability by potentially triggering a race condition while processing socket errors in resolver.c. Successful exploitation of this vulnerability could result in denial of service condition.
- Upgrade to BIND 9.9.8-P2
- Upgrade to BIND 9.10.3-P2
- Upgrade to BIND 9.9.8-S3
Please refer to the link mentioned below for updates
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003