Main Menu

Login



Support Virus.Org

Help support Virus.Org by donating.
Donating allows us to keep this site free and pay the running costs of all our services.
Brace of Denial of Service Bugs hit BIND PDF Print E-mail
Written by Editor   
Friday, 28 January 2005 15:59
Internet Systems Consortium has pushed out a couple of fixes for BIND to address two denial of service vulnerabilities within BIND 8.4.x and BIND 9.3.x. The first of the bugs affects only BIND versions 8.4.4 and 8.4.5, and is a buffer overflow error in the handling of the "q_usedns" array used by the server to track name servers and addresses that have been queried. A successful exploitation of the issue would result in the service crashing, therefore causing a Denial of Service.

The second issue affects BIND version 9.3.0, the issue is in the way BIND supports the DNS Security Extensions (DNSSEC), including the NextSECure (NSEC) RDATA Format. The issue stems from an incorrect assumption in the routine authvalidated(), which would cause an internal test to fail and as a result named to exit. An attacker using a specially crafted DNS packet could exploit the issue causing a Denial of Service against vulnerable hosts.

It is suggested that users of vulnerable versions of BIND 8.4.x upgrade to the 8.4.6 release, and users of vulnerable 9.3.0 releases upgrade to version 9.3.1. You can find more information on the BIND 8.4.x issue here and the BIND 9.3.x here.

Add this page to your favorite Social Bookmarking websites
Digg! Reddit! Del.icio.us! Google! Live! Facebook! Technorati! StumbleUpon! Yahoo!
Last Updated ( Thursday, 14 September 2006 23:19 )