Security Alert (A16-03-05): Multiple Vulnerabilities in ISC BIND


 

Published on: 10 March 2016

  
  

Description:

Multiple vulnerabilities are found in the ISC BIND software. A remote attacker could send a specially crafted query to trigger an assertion failure if DNS cookie support is enabled, remote commands on the control channel are accepted or when parsing signature records for DNAME records, causing the BIND to crash.

Both authoritative and recursive name servers are vulnerable to these problems.


Affected Systems:

  • BIND 9.0.0 to 9.8.8
  • BIND 9.9.0 to 9.9.8-P3
  • BIND 9.9.3-S1 to 9.9.8-S5
  • BIND 9.10.0 to 9.10.3-P3

Impact:

Successful exploitation could lead to a denial of service (DoS) condition on an affected system.


Recommendation:

Internet Systems Consortium (ISC) has released the following patches to solve the problems:

  • BIND 9.9.8-P4 or 9.10.3-P4
    http://www.isc.org/downloads/

Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk. 


More Information:

https://kb.isc.org/article/AA-01351
https://kb.isc.org/article/AA-01352
https://kb.isc.org/article/AA-01353
https://www.us-cert.gov/ncas/current-activity/2016/03/09/ISC-Releases-Security-Updates-BIND
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2088



Tag: BIND , ISC
Tags