We don’t normally get too involved with discussing or publishing details about bugs and patches for BIND, however due to the severity of CVE-2015-5477, it has prompted a couple of customers to email me directly who I think just wanted a second opinion.
Basically, yes, you do have to patch BIND!
Unfortunately, the news from ISC is that this is pretty serious. To quote from a blog post their Incident Manager wrote about this vulnerability:
Almost all unpatched BIND servers are potentially vulnerable. We know of no configuration workarounds. Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then. And the fix for this defect is very localized to one specific area of the BIND code.
He continues:
I have already been told by one expert that they have successfully reverse-engineered an attack kit.
So there you have it. A single DNS query can trigger BIND to exit and there is nothing you can do to prevent it unless you patch your servers. This is a dream for anyone who wants to launch a DDoS attack, simply spray these specially crafted malicious packets around the Internet and watch all those DNS servers crash (although technically it’s not a crash).
Securi report that they have seen this attack in the wild already. More details here.
Luckily if you are running a commercial DDI product, it should notice if BIND stops and simply restart it, meaning only a short outage. If not though, you may have an extended outage if you are not monitoring your servers and don’t detect the failure quickly.
Maybe it’s just better to patch than take the risk eh?
About Paul Roberts
