Denial of Service vulnerabilities back in the spotlight - patch BIND now!

Filed Under: Apple, Denial of Service, OS X, Vulnerability

Until recently, only remote code execution vulnerabilities have made the mainstream news.

These are the bug strains which may let an attacker get into your computer if you do nothing more than simply read an email, look at a web page, or even just connect to the internet.

But simple Denial of Service (DoS) vulnerabilities are newsworthy again, it seems. A DoS - not to be confused with DOS, which was an operating system of sorts - is where an attacker tries to slow down or to crash a computer.

That DoS vulnerabilities are back in the spotlight is hardly surprising, given the rabble-rousing noise made recently by Anonymous to encourage individuals to join voluntary DoS attacks against major companies such as MasterCard and PayPal. (When lots of computers initiate a DoS attack at the same time, the result is a DDoS, or Distributed Denial of Service attack. A DDoS is just a DoS scaled up for even greater havoc.)

DoSses are a big deal. Uptime is a significant measure of the on-line credibility of a business these days. If you have seen the film The Social Network you'll probably remember Fake Mark Zuckerberg ranting about how Facebook never goes down, mustn't go down, can't go down. For Fake Mark, that was a key business differentiator.

And the latest DoS vulnerability on the newswires is potentially troublesome. It's a flaw in BIND, almost certainly the most widely-used DNS server in the world. DNS, or the Domain Name Services, is the global system which converts names such as sophos.com into IP numbers such as 213.31.172.77. To say it's an important service is a serious understatement.

The details of the vulnerability can be found against vulnerability identifier CVE-2011-0414.

In short, authoritative name servers can be tricked into a deadlock when an incremental zone transfer (IXFR) happens.

To explain: an authoritative name server is one which contains official data about name-to-number mappings for a domain. (Caching name servers simply ask authoritative name servers and remember the answers for a while to help reduce load on the authoritatives.) A zone transfer is when one name server sends information to another server about changes to the official DNS records. And an incremental zone transfer, if you will pardon me stating the obvious, is one in which only recent changes are exchanged, to save time and bandwidth.

Finally, deadlock is when a computer program gets stuck. Part A waits for part B, but part B waits for part A. Deadlock, in a literary flourish rarely seen in computer science, is also known as deadly embrace.

The internet is very large, and changes very rapidly. Over the past five years, the number of computers online has increased by about 300,000 per day - and that's just the aggregate increase, not taking account of the total number added and removed.

So IXFRs between authoritative name servers are a vital part of keeping DNS both alive and correct. Indeed, DNS servers are at the heart of many cloud-style security services, providing the mechanism by which up-to-date blocklist data is published. IXFRs between cloud-security DNS servers are critical in order to keep the latest blocklist information right up to date.

What does this mean?

If you are running a BIND DNS server, and you're on version 9.7, you should update as soon as you can to the latest patch release, version 9.7.3.

(As an aside, Apple ships every Macintosh with a copy of BIND. Most users don't run it, and so aren't affected. Those who do are lucky this time - OS X 10.6.6, the latest version, comes with BIND 9.6. Sometimes, being behind the curve is a good thing.)

, , , , , , , , ,

You might like

2 Responses to Denial of Service vulnerabilities back in the spotlight - patch BIND now!

  1. Is Bind a DNS Server software that effectively turns a server into a DNS? That means any Mac PC can be used as a DNS Server by other computers. If I use other DNS like open DNS, Google DNS, Norton DNS, etc, I'm not affected right? This vulnerability hits only those running a DNS Server.

    • Paul Ducklin · 1344 days ago

      Correct. The program which implements BIND is called "named". ("Name" because it's a name server, and "d" for daemon, which is Unix-speak for background process which runs even when no-one is logged in.)

      The "named" program does not run by default on OS X workstations.

      If you're not running "named" then you are not vulnerable.

      It takes a bit of effort to set up named on a workstation, so if you were running it you would almost certainly remember getting it going :-)

      (If you were running "named", but only as a local caching nameserver, you would not be vulnerable because caching nameservers don't handle zone transfers. And even if you were running a full-blown DNS server on your Mac workstation, you wouldn't be vulnerable because the version of BIND in OS X 10.6.6 is not vulnerable, as mentioned in the article.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog