Internet Systems Consortium (ISC) today issued a brief patch for a nil-day vulnerability in BIND 9 DNS servers that's causing Internet servers to crash. The fix doesn't repair the vulnerability, but instead prevents DNS servers from crashing while handling the mistake, ISC said in an advisory.
Organizations around the Internet began reporting crashes that were interrupting service on BIND 9 name servers after logging an error while performing recursive queries. ISC said it truly is investigating whether that's only a denial-of-service condition, or whether there active exploits within the wild.
 “Affected servers crashed after logging an error in query.c with the next message: “INSIST(! Dns_rdataset_isassociated(sigrdataset)),†ISC said in its advisory. “An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for that could crash the resolvers with an assertion failure.â€
Multiple versions of the BIND 9 platform were affected, including all supported versions of ISC BIND 9, in addition to BIND 9.4-ESV, 9.6-EV, 9.7.x and 9.8.x.
 “When a shopper query is handled, the code that processes the response to the customer has to ask the cache for the records for the name which is being queried,†explained the ISC advisory. For this reason, there are two separate components of the patch: The primary prevents the cache from returning the inconsistent data, while the second one prevents the server from crashing if it detects it has been given an inconsistent answer.
Currently, there aren't any known workarounds. ISC is encouraging users to upgrade BIND to at least one of its patched versions that will mitigate the problem.
Nessun commento:
Posta un commento
Comments links could be nofollow free