Vigil@nce - ISC BIND: denial of service via a zone update
September 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker who control an primary DNS server or an authorized
client can send a too large zone content to ISC BIND, in order to
trigger a denial of service.
Impacted products: BIG-IP Hardware, TMOS, BIND.
Severity: 2/4.
Creation date: 06/07/2016.
Revision date: 08/07/2016.
DESCRIPTION OF THE VULNERABILITY
The ISC BIND product is a DNS server. It may run as a slave, as a
secondary server. It may also accept updates from clients,
typically configured with DHCP.
In this mode, it fetches the content of its zones from the primary
server with a dedicated DNS command XFER. However, Bind does not
define any limit for a zone. When the primary server send a too
large zone content, a fault occur and the server dies. A client
which is authorized to send updates can also trigger this fault.
One should note that using a server as a primary one implies
trusting it. (Sending an empty zone is a more efficient way to
deny service to end client.)
An attacker who control an primary DNS server or an authorized
client can therefore send a too large zone content to ISC BIND, in
order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/ISC-BIND-denial-of-service-via-a-zone-update-20033