Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Potential 0-day on Bind 9

Published: 2011-11-16
Last Updated: 2011-11-17 12:58:47 UTC
by Jason Lam (Version: 1)
9 comment(s)

Internet System Consortium has published an alert earlier as they are investigating a potential vulnerability on Bind 9. There are reports of the DNS server software crashing while generating log entry - "INSIST(! dns_rdataset_isassociated(sigrdataset))" The details on this is rather limited at this point, aside from DoS effect, it's unknown whether code execution is possible at this point. 

Reference - http://www.isc.org/software/bind/advisories/cve-2011-tbd

Update:

ISC would appreciate network captures of active attacks against this BIND vulnerabiliy. Please submit to us via Contact Form.

Update 2:

Patches are now available:
http://www.isc.org/software/bind
https://www.isc.org/software/bind/advisories/cve-2011-4313

Update 3:

There have been a number of reports of people being affected.  If you are one and you have some packets to share it would be appreciated if you can share them. We'll  anonymise any identifying info.

Thanks

Mark

Update 4:

Several honeypots have been hit with unsolicited recursive DNS queries. Whilst the query itself is normal, it is possible that this is part of a scan looking for servers that may be vulnerable.  If you happen to be monitoring your DNS and you notice a recursive request let us know.  if you can share information that would be great. Ideally a capture, but the source and the domain requested will be enough for now.  

Thanks  

Mark 

Keywords: 0day bind 9 DNS
9 comment(s)
Diary Archives