Vigil@nce - ISC BIND: assertion error via OPT/ECS
March 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force an assertion error by sending OPT/ECS
data/options to ISC BIND in debug mode, in order to trigger a
denial of service.
Impacted products: BIND, Slackware.
Severity: 2/4.
Creation date: 20/01/2016.
DESCRIPTION OF THE VULNERABILITY
The ISC BIND product can be configured to log debug messages.
In this case, data of OPT records and ECS options are converted to
text to be logged. However, when these data/options are malformed,
an assertion error occurs because developers did not except this
case, which stops the process.
An attacker can therefore force an assertion error by sending
OPT/ECS data/options to ISC BIND in debug mode, in order to
trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/ISC-BIND-assertion-error-via-OPT-ECS-18767