The Internet Systems Consortium (ISC) has issued a high severity security advisory that addresses a security vulnerability in multiple versions of ISC Berkeley Internet Name Domain (BIND).
A remote attacker could exploit the BIND vulnerability to cause a denial-of-service (DoS) condition. The CVSS score is rated 7.5 (10 being the highest).
ISC describes the BIND vulnerability:
“‘deny-answer-aliases’ is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an INSIST assertion failure in name.c.”
“Accidental or deliberate triggering of this defect will cause an INSIST assertion failure in named, causing the named process to stop execution and resulting in denial of service to clients. Only servers which have explicitly enabled the “deny-answer-aliases” feature are at risk and disabling the feature prevents exploitation.”
Administrators can also mitigate the vulnerability by disabling the “deny-answer-aliases” feature as a workaround. This feature is disabled by default.