Hackers Exploit BIND DoS Flaw to Take Out DNS Servers

Hackers are already exploiting in the wild a newly discovered critical vulnerability in the near ubiquitous BIND DNS servers, causing denial of service, according to a security firm.

Sucuri founder Daniel Cid warned in a blog post on Sunday that the DoS flaw (CVE-2015-5477) could allow a remote and unauthenticated attacker to crash the BIND daemon, taking out the DNS server.

The vulnerability, given a CVSS score of 7.8, was patched a week previously by the Internet Systems Consortium, which explained it as follows:

“An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit.”

Cid claimed that all major Linux distributions including Red Hat, Ubuntu and Centos have provided patches for the flaw. He said a simple “yum update” on Red Hat/Centos or an “apt-get update” on Debian-based systems would be enough to protect key systems.

“Because of its severity we’ve been actively monitoring to see when the exploit would be live. We can confirm that the attacks have begun,” he warned.

“DNS is one of the most critical parts of the Internet infrastructure, so having your DNS go down also means your email, HTTP and all other services will be unavailable. If You Have Not Patched Your DNS Server, Do it Now!”

Konrads Smelkovs, a manager in KPMG’s Cyber Security practice, argued that the discovery of such vulnerabilities is only to be expected.

“What does surprise me, however, is that every time a new vulnerability or bug becomes public, companies tend to panic and rely solely on their ability to use patches and therefore suffer the downtime that can be associated with that or risk breaches if they don’t patch immediately,” he added.

“We would always recommend users plan for a certain amount of failure and therefore have alternative arrangements in place. For some it may be that stopping business for one hour is acceptable but for others this may not work and putting security software in front of it or relying on a partner to take over operations during a downtime would be more appropriate.”

What’s Hot on Infosecurity Magazine?