Denial of Service BIND Alert
KOM last edited by
A deliberately constructed packet can exploit an error in the handling of queries for TKEY records, permitting denial of service.
Document Version: 2.0
Posting date: 28 July 2015
Program Impacted: BIND
Versions affected: 9.1.0 -> 9.8.x, 9.9.0->9.9.7-P1, 9.10.0->9.10.2-P2
An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit.
Both recursive and authoritative servers are vulnerable to this defect. Additionally, exposure is not prevented by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling, before checks enforcing those boundaries.
All versions of BIND 9 from BIND 9.1.0 (inclusive) through BIND 9.9.7-P1 and BIND 9.10.2-P2 are vulnerable.
Operators should take steps to upgrade to a patched version as soon as possible.
Beat me to it. I just saw this on Ars