Friday, July 31, 2009

BIND 9 Dynamic Update DoS

This time, ISC BIND 9 contains a vulnerability that may allow a remote, unauthenticated attacker to create a DoS attack. Both POC Exploit and patch are available now. Here's the summary:
BIND Dynamic Update DoS
CVE: CVE-2009-0696
CERT: VU#725188
Posting date: 2009-07-28
Program Impacted: BIND
Versions affected: BIND 9 (all versions)
Severity: High
Exploitable: remotely
Summary: BIND denial of service (server crash) caused by receipt of a specific remote dynamic update message.
McAfee did a good job on summarizing how the attack works. You can follow it here if you are interested in the detail.

POC exploit is available at:
Update: I found that there is a workaround that can be applied if case patch isn't available from vendor. Try this on your own risk.
iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'