On the impact of CVE-2013-2266 (BIND9)

[Daniel Franke <dfoxfranke () gmail com>]

Folks,

It's been a day now since the public disclosure of CVE-2013-2266
(https://kb.isc.org/article/AA-00871):

> A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on
> Unix and related operating systems, allows an attacker to
> deliberately cause excessive memory consumption by the named
> process, potentially resulting in exhaustion of memory resources on
> the affected server.  This condition can crash BIND 9 and will
> likely severely affect operation of other programs running on the
> same machine.

"Ho hum", I hear, "another BIND DoS. Must be Tuesday."

Well, not quite: I think this one stands out from most other BIND
vulnerabilities due to its ease of exploitation. It took me
approximately ten minutes of work to go from reading the ISC advisory
for the first time to developing a working exploit. I didn't even have
to write any code to do it, unless you count regexes or BIND zone
files as code. It probably will not be long before someone else takes
the same steps and this bug starts getting exploited in the wild.

Any server running an affected version of BIND in its default
configuration as a recursive resolver, or as an authoritative
nameserver that accepts zone transfers from untrusted sources, is made
vulnerable by this bug. If your organization relies upon the
availability of such a server, please make haste in getting it patched
before some s'kiddie decides to turn it off for you.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/