Full Disclosure mailing list archives
On the impact of CVE-2013-2266 (BIND9)
From: Daniel Franke <dfoxfranke () gmail com>
Date: Wed, 27 Mar 2013 18:01:56 -0400
Folks, It's been a day now since the public disclosure of CVE-2013-2266 (https://kb.isc.org/article/AA-00871):
A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server. This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine.
"Ho hum", I hear, "another BIND DoS. Must be Tuesday." Well, not quite: I think this one stands out from most other BIND vulnerabilities due to its ease of exploitation. It took me approximately ten minutes of work to go from reading the ISC advisory for the first time to developing a working exploit. I didn't even have to write any code to do it, unless you count regexes or BIND zone files as code. It probably will not be long before someone else takes the same steps and this bug starts getting exploited in the wild. Any server running an affected version of BIND in its default configuration as a recursive resolver, or as an authoritative nameserver that accepts zone transfers from untrusted sources, is made vulnerable by this bug. If your organization relies upon the availability of such a server, please make haste in getting it patched before some s'kiddie decides to turn it off for you. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- On the impact of CVE-2013-2266 (BIND9) Daniel Franke (Mar 27)
- <Possible follow-ups>
- Re: On the impact of CVE-2013-2266 (BIND9) Jeff Wright (Mar 28)