High-risk DNS exploit goes wild

BIND Dynamic Update DoS
CVE: CVE-2009-0696
CERT: VU#725188
Program Impacted: BIND
Versions affected: BIND 9 (all versions)
Severity: High
Exploitable: remotely
Summary: BIND denial of service (server crash) caused by receipt of a specific remote dynamic update message

Description:

Urgent: this exploit is public. Please upgrade immediately.

Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert.

This vulnerability affects all servers that are masters for one or more zones – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround.

dns_db_findrdataset() fails when the prerequisite section of the dynamic update message contains a record of type “ANY” and where at least one RRset for this FQDN exists on the server.

db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
exiting (due to assertion failure).
Workarounds:
None.

(Some sites may have firewalls that can be configured with packet filtering techniques to prevent nsupdate messages from reaching their nameservers.)
Active exploits:
An active remote exploit is in wide circulation at this time.
Solution:

Upgrade BIND to one of 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1. These versions can be downloaded from:

http://ftp.isc.org/isc/bind9/9.6.1-P1/bind-9.6.1-P1.tar.gz

http://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz

http://ftp.isc.org/isc/bind9/9.4.3-P3/bind-9.4.3-P3.tar.gz

Source: https://www.isc.org/node/474

Experts Show the Way Towards a Better, More Secure Internet for Everyone

Internet Society - STOCKHOLM - Some of the world's leading experts met in Stockholm today to discuss how the Internet can become more secure through a full implementation of new security standards in the Domain Name System (DNS).

The Domain Name System is a critical operational element of the Internet, creating a user-friendly environment that allows names to be mapped to host addresses (for example, web and email servers). However, this system is not safe from tampering. Earlier this year, one of Brazil's biggest banks suffered an attack that redirected its customers to fraudulent websites that attempted to steal passwords and install malware.

Many experts are calling for a full-scale implementation of Domain Name Security Extensions (DNSSEC) which could protect the Internet from these types of attacks, such as the Kaminsky Bug. Patrik Wallström of .SE (the Top Level Domain Registrar for Sweden) explained that Kaminsky attacks can trick Internet users by taking over domain names and redirecting queries to another server. All applications are at risk including among others our email and online transactions.

Leslie Daigle, Chief Internet Technology Officer of The Internet Society (ISOC), which organized the event: "DNSSEC effectively wraps tamper proof packaging around the data being requested to assure the user that the information is what was shipped from the authentic source."

"While DNSSEC isn't a magic bullet, it is a very important starting point that allows us to start evaluating how to secure the many applications that are intertwined with the Domain Name System," explained Jim Galvin, speaking on behalf of the Public Interest Registry that manages the .org domain name.

Richard Lamb, DNSSEC Programme Manager of ICANN added that "momentum has been building up. Today there is a generalized awareness that we need to implement the security extensions already at the root of the domain name system. With the widespread deployment of DNSSEC, we will be able to create a platform for innovation, new product development and international cooperation."

Matt Larson, Vice President of DNS research at VeriSign, one of the world's leading providers of network infrastructure services discussed VeriSign's plans for deploying DNSSEC in .com and .net. He said: "We are committed to the application of DNSSEC and have had a long history of involvement in its development. We are planning to have .net signed by the end of 2010 and .com signed in early 2011."

Securing the DNS panelists:

Patrick Wallström, SE Richard Lamb, ICANN Olaf Kolkman, NLnet Labs Leslie Daigle, The Internet Society Jim Galvin, Public Interest Registry Matt Larson, VeriSign
More details of the event, including presentations at: isoc.org/dns

Source: Internet Society - Retrieved on July 28th from businesswire.com/portal/site/google/?ndmViewId=news_view&newsId=20090728005890&newsLang=en