BIND 9 Dynamic Update DoS

Vulnerability described in CVE-2009-0696 is very easy to exploit and the consequences can be disastrous.

All it takes is a singled DNS UDP packet with Dynamic Update structure specially crafted for any Zone which the target server is Master and the named process will exit.

As stated by ISC BIND's update ACLs do not mitigate this vulnerability. Since this is UDP then source IPs can be spoofed and nearly impossible to track down. Even DNS infrastructures which are designed to expose only slave servers to the Internet can be vulnerable if any of them have Master Zones for netblocks mentioned in RFCs 1912 Section 4.1 and 1918 Section 3.

Anyone who wishes to audit their environment can utilize the following Python script. Make sure you have permission to test your targets!.

Given the criticality of this vulnerability several IDS vendors have released detection signatures. However, as of this writing the above script evades the following signatures: Sourcefire and Emerging Threats. Both groups will be notified with necessary information.

No comments: