BIND security updates

BIND security updates

The Internet Systems Consortium (ISC) has released security updates to fix vulnerabilities in versions of ISC Berkeley Internet Name Domain (BIND).

The three vulnerabilities addressed are listed below (along with description provided by the ISC).

Limiting simultaneous TCP clients is ineffective (CVE-2018-5743): “By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contains an error which can be exploited to grow the number of simultaneous connections beyond this limit.”

An error in the nxdomain redirect feature can cause BIND to exit with an INSIST assertion failure in query.c (CVE-2019-6467): “A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally…The most likely scenario where this might occur is if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible.”

BIND Supported Preview Edition can exit with an assertion failure if nxdomain-redirect is used (CVE-2019-6468): “In BIND Supported Preview Edition, an error in the nxdomain-redirect feature can occur in versions which support EDNS Client Subnet (ECS) features. In those versions which have ECS support, enabling nxdomain-redirect is likely to lead to BIND exiting due to assertion failure.”

The first vulnerability CVE-2018-5743 is rated high severity, whereas CVE-2019-6467 and CVE-2019-6468 are rated Medium severity. All three can be remotely exploited and should be patched as soon as possible.