High Severity BIND Vulnerability Advisory Issued 144
wiredmikey writes "The Internet Systems Consortium (ISC) and US-CERT have issued a high severity vulnerability warning, discovered by Neustar, which affects BIND, the most widely used DNS software on the Internet. Successful exploitation could enable attacker to cause Bind servers to stop processing all requests. According to the disclosure, 'When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition.'"
Re:Many companies avoid using networked nameserver (Score:2, Insightful)
This is not well known, but every computer connected to the Internet is capable of being its own nameserver.
This is in fact fairly well known among the people who need to know these things. Also the hosts file is no substitute for DNS. It cannot, for example, give you MX records, cannot perform round-robin load balancing, and even if the sync of the hosts file is very quick, is not a suitable way to deal with the fact that name to ip mappings change frequently. Anyone who set things up as described above would be committing malpractice.
Re:Many companies avoid using networked nameserver (Score:4, Insightful)
Seriously? What companies avoid nameservers?
Why would you believe your P2P software is less prone to vulnerabilities than BIND?
Perhaps, If your company employs people who cannot type in an IP address. Nonetheless, I can think of many much better ways to limit employee internet access.
All software has vulnerabilities. If your nameserver has an issue, you upgrade BIND and you're done. If your P2P software on every desktop has a vulnerability, you now have to update software on every desktop. Assuming, that is, that the vulnerability is ever publicly disclosed.
Re:not "high severity" (Score:5, Insightful)
This sounds like a denial-of-service flaw. Such flaws are considered "low severity" in all but the rarest cases. A high-severity flaw would be one which either gives a hacker control of a service or access to sensitive information.
It depends entirely upon the requirements for availability. I agree that generally the A in the CIA triad is the least important, but not by any means always.
Imagine if this could be easily leveraged to shut down all DNS resolvers for, say, all of Comcast. Wouldn't you agree that it's probably a greater impact than, say, a single unimportant desktop somewhere in marketing being compromised by the Flash Of The Day vulnerability?
Thus is the black magic of IT risk management. :)
That said, my first thought when reading this headline was the same as yours.
Re:latest BIND not affected (Score:2, Insightful)
So, BaconBits - are you going to publicly retract your statements impugning BIND's process?
You made some very harsh judgement, evidently without any research into backup said accusations - IMO, you owe an apology. [I'm posting AC since I don't want to be attacked publicly either, but I have NO association with BIND or any Linux development at all. I'm simply one who uses BIND and Linux servers. Really, I'm just a sysadmin.]
Re:latest BIND not affected (Score:5, Insightful)
Thanks, ISC, for patching a vulnerability a month after you found out about it and then telling us two weeks later that you did that
You know, I'm really tired of people who obviously don't write code saying crap like this. Fixing a subtle deadlock could quite realistically take a month. First, you need to figure out really why it happens. Then you need to figure out the CORRECT way to fix it, then you need to implement the fix, then you need to TEST the thing to make sure you didn't introduce anything ELSE that could cause a problem. If the bug was in an easy area of code, chances are it would have been found and fixed a long time ago. BIND has been around a long, long time. Anything left in there now is, by definition, hard to find and hard to fix.
Look folks, security bugs happen BECAUSE people whip out code without thinking and without testing. Now you ask for them to do exactly that? You need to get a grip on reality.
Re:latest BIND not affected (Score:4, Insightful)
Keep in mind that ISC runs a lot of very large name servers all over the world that are under constant DDOS attacks and they didn't see this in the wild. At this point, its a theoretical attack and there is a theatrical work around. Releasing the info too soon could have resulted in a real attack against a theatrical work around. I think they did the right thing considering if you had a DDOS problem, you can ask in a number of places and they would have told to you to try the work around.