BIND 9 security hole said to be worse than Kaminsky attacks

The Internet Systems Consortium Inc. says users of the Berkeley Internet Name Domain Server could face denial of service attacks if they do not update to a newer version.

The Redwood City, Calif.-based non-profit organization published an urgent warning this week of a dynamic update message that could cause BIND servers that are masters for one or more zones to exit.

ISC advises users to update to either version 9.4.3-P3,. 9.5.1-P3 or 9.6.1-P1

“This is a widespread issue,” said Richard Hyatt, chief technology officer of Toronto-based Bluecat Networks Inc., which makes IP address management products. “It’s far worse than Kaminsky.”

Hyatt was referring to a vulnerability in the Web sites protected by Secure Sockets Layer first revealed at last year’s Black Hat security conference by Dan Kaminsky, director of penetration testing for IOActive.

“With Kaminsky, they were poisoning the cache,” Hyatt said. “With this one, people will just take you offline right away.”

James Quin, senior research analyst with Info-Tech Research Group of London, Ont., agreed.

“We’re looking at the shutdown of domain name servers,” Quin said. “The routing of IP traffic would effectively come to a halt until the system is brought back online.”

In its alert, ISC said users who get a “dynamic update message” for their BIND servers may see BIND taken off line if they are using version 9.

“This is a case of a bad line of code,” Hyatt said, adding Bluecat has posted an update for its Adonis IP address management hardware.

Fortunately, it’s easy to rectify, Quin said. “It’s only likely to be companies that aren’t staying on top of their security protocols that will be affected,” Quin said. “They can very quickly rectify the situation.”

He added attacks on telecom carriers are more serious than attacks on individual corporations.

“The impact I can cause at the individual business level is pretty minimal,” he said.

“More threats will be launched on carriers than individual companies.”

A spokesperson for Bell Canada did not want to go into detail on the technology the carriers uses, for competitive reasons, but did say Bell is “not vulnerable.”

Quin said users should not assume every carrier is properly patched.

Hyatt said companies who are vulnerable could experience problems other than losing their Web site.

“It can mutate into a worm or virus that if it gets launched from internal parts of network could attack internal servers running bind,” Hyatt said. “It could take down parts of company from inside.”