Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

ISC BIND 9 Large RRSIG RRsets Negative Caching Remote DoS

Medium

Synopsis

The remote DNS server is vulnerable to a denial of service attack.

Description

The remote host is running Bind, a popular name server.

Versions of BIND 9.4 earlier than 9.4-ESV-R4-P1, 9.6 earlier than 9.6-ESV-R4-P1, 9.7 earlier than 9.7.3-P1, and 9.8 earlier than 9.8.0-P2 are potentially affected by a denial of service vulnerability. If BIND queries a domain with large RRSIG resource record sets it may trigger an assertion failure and cause the name server process to crash due to an off-by-one error in the buffer size check.

Solution

Upgrade to BIND 9.4-ESV-R4-P1 / 9.6-ESV-R4-P1, 9.7.3-P1, 9.8.0-P2, or later.