CVE: CVE-2014-8500
Document Version: 2.0
Posting date: 08 December 2014
Program Impacted: BIND 9
Versions affected: 9.0.x -> 9.8.x, 9.9.0 -> 9.9.6, 9.10.0 -> 9.10.1
Severity: Critical
Exploitable: Remotely
Description:
By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND 9 uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation. This can lead to resource exhaustion and denial of service (up to and including termination of the named server process.)
Impact:
All recursive resolvers are affected. Authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone.
CVSS Score: 7.8
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Workarounds:
No workarounds exist. Vulnerable versions of BIND 9 should be upgraded.
Active exploits:
No known active exploits.
Solution: Upgrade to the patched release most closely related to your current version of BIND. Patched builds of currently supported branches of BIND (9.9 and 9.10) can be downloaded via http://www.isc.org/downloads
BIND 9 version 9.9.6-P1
BIND 9 version 9.10.1-P1
Regarding older versions:
BIND 9.6-ESV and BIND 9.8 have been officially designated "end of life" (EOL) and no longer receive support. All organizations running EOL branches should be planning transition to currently supported branches. However, due to the severity of this particular issue, source code diffs which can be applied to BIND 9.8 and BIND 9.6-ESV will be made available on request to security-officer@isc.org.
Acknowledgements:
ISC would like to thank Florian Maury (ANSSI) for discovering and reporting this vulnerability.