It’s been a while since my last post – and this one is a doozey.
So Bind is one of the most popular DNS servers on the planet. Just about everyone runs it. So when news breaks that a specially crafted request can cause the named process to exit, then a problem is presented.
The official report says:
named in ISC BIND 9.x before 9.9.7-P2 and 9.10.x before 9.10.2-P3 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries.
This doesn’t really convey the severity of the issue. Thankfully, the ISC elaborate more. In it, they say:
The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer. I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind. Please take steps to patch or download a secure version immediately.
This bug is designated “Critical” and it deserves that designation.
Essentially, “You’re screwed. Upgrade now”.
If you’re a system admin, and you’re reading this, check your bind version now, make a coffee, then dig in for the long haul.