CISA Warns of Vulnerabilities in Popular Domain Name System Software 


Security advisories note attackers could remotely exploit flaws to cause a denial of service.

The Cybersecurity and Infrastructure Security Agency highlighted software vulnerabilities in the Berkeley Internet Name Domain and urged administrators to patch the widely used open source system. 

“The Internet Systems Consortium has released security advisories that address vulnerabilities affecting multiple versions of ISC Berkeley Internet Name Domain,” CISA wrote. “A remote attacker could exploit these vulnerabilities to cause a denial-of-service condition. CISA encourages users and administrators to review the following ISC advisories for more information and to apply the necessary updates.”

There are no workarounds identified in the advisories, which the ISC released Friday. The ISC implores users to employ the only solution: “Upgrade to the patched release most closely related to your current version of BIND.”

ISC noted five related vulnerabilities, four of which were ranked “medium” in severity, all of which could be exploited remotely. 

The Domain Name System allows for internet protocol addresses to be viewed as the user-friendly words in a uniform resource locator. But target machines can be spoofed or flooded by requests sent by malicious hackers, causing disruptions to the operation.

In describing one vulnerability, the ISC said versions of BIND that use the libuv network manager, have incorrectly specified the size of a maximum buffer, which would allow a deliberately constructed payload making its way through transmission control protocols to disable the server.  

“An attacker who can establish a TCP connection with the server and send data on that connection can exploit this to trigger the assertion failure, causing the server to exit,” the advisory reads. 

Other vulnerabilities that can cause the server to crash surround misconfigurations and signatures attached to requests for addresses.  

ISC credited Emanuel Almeida of Cisco Systems; Dave Feldman, Jeff Warren, and Joel Cunningham of Oracle; Joop Boonen of credativ GmbH and Lyu Chiy; and Joseph Gullo for the discoveries.

There are currently no known active exploits for any of the vulnerabilities.