October 28, 2016

BIND 9 Updated To Fix Serious Server Crash

(LiveHacking.Com) – The Internet Systems Consortium (ISC) has released an update to BIND 9 to workaround a caching bug which is causing servers to crash all over the Internet. Reports from across the Internet show that BIND 9 based nameservers crash when performing recursive queries. There is a suggestion that this zero-day vulnerability is being used by hackers to launch a denial of service attack.

ISC have not yet identified how the crash is triggered (is it malformed packets, malformed requests etc) however it has discovered that once triggered the BIND 9 resolver caches an invalid record, then subsequent queries crash the server.

As a work around they have released patched versions of BIND 9.4-ESV, 9.6-ESV, 9.7 and 9.8, which makes the ‘named’ daemon recover gracefully from the inconsistency and so prevent the crash.

The release notes for the patched versions read:

BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure.

The new versions can be downloaded from here and the security advisory can be read here.

ISC Patch DHCP Server Halt Bugs

(LiveHacking.Com) – The Internet Systems Consortium, Inc. (ISC) , the non-profit company which develops software for the infrastructure of the Internet (like BIND and DHCP),  is reporting that two issues have been found in its DHCP server that could allow an attacker to cause the server to crash.

According to the advisory, the ISC received a report from David Zych from the University of Illinois about a crash in the DHCP when it tries to process certain types of packets. Upon investigation ISC found another similar bug along side the one reported by David. The patch issued by the ISC fixes the code to properly discard or process those packets.

Affected versions of the DHCP server are 3.1.0 through 3.1-ESV-R1, all versions of 4.0 (as it has reached EOL), 4.1.0 through 4.1.2rc1, 4.1-ESV through 4.1-ESV-R3b1 and 4.2.0 through 4.2.2rc1. The current supported and patch versions are 3.1-ESV-R3, 4.1-ESV-R3 or 4.2.2.

The advisory also notes that this is the last update to 3.1-ESV as it will reach End-of-Life after this release.

ISC’s DHCP Client Could Allow Remote Code Execution

The Internet Systems Consortium (ISC), a non-profit company which develops software for the infrastructure of the Internet (like BIND and DHCP), has released details of a new remote code execution vulnerability present in its dhclient software.

dhclient is ISC’s DHCP client and can be found on most Linux systems as well as other Unix-like platforms such as FreeBSD. When a machine is configured to use DHCP (Dynamic Host Configuration Protocol) the dhclient broadcasts a request asking for hostname and IP configuration information. A DHCP server will then reply with the corresponding information.

The problem is that dhclient does not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. Depending on the script and OS, this can result in execution of exploit code on the client. dhclient versions 3.0.x to 4.2.x are affected.

ISC have issued new versions of the software: 3.1-ESV-R1, 4.1-ESV-R2 or 4.2.1-P1 which can be downloaded from here. No patch is available for 4.0.x as it has reached its end of life. Anyone running 4.1.x should upgrade to 4.1-ESV-R2.

If you don’t want to rebuild the software yourself you should consider the immediate workarounds given below or wait until your Linux distribution issues an update.

Immediate workarounds

On SUSE systems, it is possible to disable hostname update by setting DHCLIENT_SET_HOSTNAME=”no” in /etc/sysconfig/network/dhcp. Other systems may add following line to dhclient-script at the beginning of the set_hostname() function: