mailing list archives
On the impact of CVE-2013-2266 (BIND9)
From: Daniel Franke <dfoxfranke () gmail com>
Date: Wed, 27 Mar 2013 18:01:56 -0400
It's been a day now since the public disclosure of CVE-2013-2266
A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on
Unix and related operating systems, allows an attacker to
deliberately cause excessive memory consumption by the named
process, potentially resulting in exhaustion of memory resources on
the affected server. This condition can crash BIND 9 and will
likely severely affect operation of other programs running on the
"Ho hum", I hear, "another BIND DoS. Must be Tuesday."
Well, not quite: I think this one stands out from most other BIND
vulnerabilities due to its ease of exploitation. It took me
approximately ten minutes of work to go from reading the ISC advisory
for the first time to developing a working exploit. I didn't even have
to write any code to do it, unless you count regexes or BIND zone
files as code. It probably will not be long before someone else takes
the same steps and this bug starts getting exploited in the wild.
Any server running an affected version of BIND in its default
configuration as a recursive resolver, or as an authoritative
nameserver that accepts zone transfers from untrusted sources, is made
vulnerable by this bug. If your organization relies upon the
availability of such a server, please make haste in getting it patched
before some s'kiddie decides to turn it off for you.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- On the impact of CVE-2013-2266 (BIND9) Daniel Franke (Mar 27)