BIND 9 Dynamic Update DoS

This time, ISC BIND 9 contains a vulnerability that may allow a remote, unauthenticated attacker to create a DoS attack. Both POC Exploit and patch are available now. Here's the summary:

BIND Dynamic Update DoS

CVE: CVE-2009-0696

CERT: VU#725188

Posting date: 2009-07-28

Program Impacted: BIND

Versions affected: BIND 9 (all versions)

Severity: High

Exploitable: remotely

Summary: BIND denial of service (server crash) caused by receipt of a specific remote dynamic update message.

McAfee did a good job on summarizing how the attack works. You can follow it here if you are interested in the detail.

References:

• BIND Dynamic Update DoS
• ISC BIND 9 vulnerable to denial of service via dynamic update request

POC exploit is available at:

• Milw0rm
• SecurityFocus

Update: I found that there is a workaround that can be applied if case patch isn't available from vendor. Try this on your own risk.

iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'