BIND 9 Dynamic Update DoS Security Update

by on July 29, 2009 · 7 comments· LAST UPDATED July 29, 2009

in , ,

BIND 9 is an implementation of the Domain Name System (DNS) protocols. named daemon is an Internet Domain Name Server for UNIX like operating systems. Dynamic update messages may be used to update records in a master zone on a nameserver. When named receives a specially crafted dynamic update message an internal assertion check is triggered which causes named to exit. An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation. configuring named to ignore dynamic updates is NOT sufficient to protect it from this vulnerability. This exploit is public. Please upgrade immediately.

Our hosting provider seems to come under DoS attack too at the same time and their DNS server went down for couple of hours. So you may see some part of our site may not working, especially our css, js and image files comes from our service providers servers which are affected by BIND server problem.

Red Hat claims that the exploit does not affect BIND servers that do not allow dynamic updates, but the ISC claims it does affects the all versions of BIND 9. However, another update from Red hat claimed that:

Updates with similar patch are undergoing quality assurance testing now and will be released as soon as they are fully tested.

How Do I Fix This Under Debian / Ubuntu Linux?

Upgrade your vulnerable package using the following commands:
# apt-get update
# apt-get upgrade
# /etc/init.d/bind9 restart

How Do I Fix This Under FreeBSD Operating System v6x and v7.x?

To patch your system download the relevant patch from the FreeBSD below, and verify the detached PGP signature using your PGP utility.
# cd /tmp
# fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch
# fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch.asc
# cd /usr/src
# patch < /tmp/bind.patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart
# rm /tmp/bind.patch

How Do I Patch RHEL / Fedora / CentOS Linux Server?

Red Hat / CentOS specific patch is available here.

Update, Jul 30, 1:31: Updated bind packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. You can grab the same from RHN or simply running the following command at a shell prompt:
# yum update

CentOS Linux use will get the same in day or two.

Other Suggestions

This slashdot user suggested use of the following iptables rules via U32 matching module:

iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'

Another user at Red hat support site suggested the following workaround:

Based on the original advisory, this appears to affect only "master" servers. One standard best practice is to have one master and multiple slaves and to protect that master (no exposure to the Internet). This would seem to be a mitigation. This is a BCP (Best Common Practice) for those of us who have been doing this for years.

Another option is to use DJBDNS DNS server.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 7 comments… read them below or add one }

1 Christopher July 29, 2009 at 6:52 pm

Any word on when Redhat/CentOS will be releasing a RPM and/or yum repo update for this issue?

Reply

2 nixCraft July 29, 2009 at 8:04 pm

@Christopher,

Red Hat just released the updated version. Grab it from RHN or just run yum update.

Reply

3 Christopher July 29, 2009 at 8:10 pm

Any word on CentOS?

Reply

4 nixCraft July 29, 2009 at 8:37 pm

Good news. CentOS just rolled out updated version :D Open /etc/yum.repos.d/CentOS-Base.repo and find released updates section. Comment mirrorlist and comment out baseurl. It should look as follows:

#released updates
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

Save and close the file. And run the following:

yum clean all
yum update

Outputs:

==============================================================================================================================================================
 Package                              Arch                            Version                                          Repository                        Size
==============================================================================================================================================================
Updating:
 bind                                 x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                          961 k
 bind-chroot                          x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                           42 k
 bind-libs                            x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                          869 k
 bind-utils                           x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                          173 k
Transaction Summary
==============================================================================================================================================================
Install      0 Package(s)
Update       4 Package(s)
Remove       0 Package(s)

Finally revert back changes made to /etc/yum.repos.d/CentOS-Base.repo.

HTH

Reply

5 Tyler July 30, 2009 at 5:02 am

The update it our repo and was deployed. The majority of IPS providers including Cisco, ISS and Tipping Point have been overly slow in releasing a DV update for this.

Reply

6 nixCraft July 30, 2009 at 6:53 am

@Tyler,

I saw that on one of our site, I had to update CentOS-Base.repo to point out to main base url instead of mirror.

Reply

7 xxra3edxx July 30, 2009 at 12:55 pm

i have a problem with “yum update”

can you help me

Loaded plugins: fastestmirror
Determining fastest mirrors
google | 951 B 00:00
primary.xml.gz | 2.3 kB 00:00
google 2/2
google64 | 951 B 00:00
primary.xml.gz | 991 B 00:00
google64 1/1
http://centos.mirror.cust.lstn.net/5/os/x86_64/repodata/repomd.xml: [Errno 4] IOError:
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: base. Please verify its path and try again

thnx

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , ,

Previous post:

Next post: