The Internet Systems Consortium (ISC) has released a security update that fixes a High risk vulnerability in multiple versions of ISC Berkeley Internet Name Domain (BIND).
BIND is the most widely used Domain Name System software on the Internet.
The latest BIND patch addresses a vulnerability (CVE-2021-25218) that could result in an assertion failure and termination of processes.
Versions affected include BIND 9.16.19, 9.17.16 and also version 9.16.19-S1 of BIND Supported Preview Edition.
As noted in the advisory, a too-strict assertion check could be triggered when responses in BIND 9.16.19 and 9.17.16 require UDP fragmentation if RRL is in use:
named attempts to respond over UDP with a response that is larger than the current effective interface maximum transmission unit (MTU), and if response-rate limiting (RRL) is active, an assertion failure is triggered (resulting in termination of the
named server process).”
ISC recommends users upgrade to the appropriate BIND version (i.e., BIND 9.16.20 or BIND 9.17.17).
Readers are encouraged to also check out related articles below for related DNS vulnerabilities and cyberattacks.
- NAME:WRECK vulnerabilities can break DNS implementations in TCP/IP stacks
- DNSpooq: Dnsmasq vulnerabilities open up network and Linux devices to attack
- Microsoft July 2020 Security Updates and patch for ‘Wormable’ RCE Vulnerability in Window DNS Server
- DNSpionage campaign delivers Karkoff malware
- “Sea Turtle” DNS hijacking campaign
- BIND fixes DoS-related vulnerabilities
- BIND and Microsoft DNS security updates
- Worm uses removable drives to install BLADABINDI backdoor