Stories
Slash Boxes
Comments

SoylentNews is people

Breaking News
posted by janrinok on Thursday July 30 2015, @02:08PM   Printer-friendly
from the patch-now dept.

https://www.isc.org/blogs/about-cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/

As the security incident manager for this particular vulnerability notification, I'd like to say a little extra, beyond our official vulnerability disclosure about this critical defect in BIND [Wikipedia].

Many of our bugs are limited in scope or affect only users having a particular set of configuration choices. CVE-2015-5477 does not fall into that category. Almost all unpatched BIND servers are potentially vulnerable. We know of no configuration workarounds. Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then. And the fix for this defect is very localized to one specific area of the BIND code.

The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer. I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind. Please take steps to patch or download a secure version immediately.

This bug is designated "Critical" and it deserves that designation.

The existence of this bug was announced 'in-house' on 28 July but is announced publicly today. Apologies for releasing my own story [submission].


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by c0lo on Thursday July 30 2015, @02:16PM

    by c0lo (156) Subscriber Badge on Thursday July 30 2015, @02:16PM (#215883) Journal

    (grin)

    Seriously speaking... sincere thanks for doing it

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
  • (Score: 2, Informative) by Eunuchswear on Thursday July 30 2015, @03:44PM

    by Eunuchswear (525) on Thursday July 30 2015, @03:44PM (#215910) Journal

    In 2015 people still use BIND? WTF.

    --
    Watch this Heartland Institute video [youtube.com]
    • (Score: 0) by Anonymous Coward on Thursday July 30 2015, @03:57PM

      by Anonymous Coward on Thursday July 30 2015, @03:57PM (#215914)

      Only masochists, hence the name.

    • (Score: 0) by Anonymous Coward on Thursday July 30 2015, @05:15PM

      by Anonymous Coward on Thursday July 30 2015, @05:15PM (#215940)
    • (Score: 4, Informative) by zocalo on Thursday July 30 2015, @05:19PM

      by zocalo (302) on Thursday July 30 2015, @05:19PM (#215941)
      Absolutely. There are alternatives, but most of them are either tied to a specific OS and/or lack some of the features and scalability necessary for some higher end usage case scenarios - albeit not ones that are likely to crop up in your typical SME. In the enterprise and ISPs where BIND is more often found there's also a lot of inertia from deployments that go back through several major revisions of BIND and noone has taken the time even investigate whether it's worth trying to migrate to an alternative platform. When you've got dozens of servers scattered across the globe and it just works (BIND is nowhere near as bad as it used to be for bugs), there's not a great deal of incentive to do much more than upgrade.
      --
      UNIX? They're not even circumcised! Savages!
    • (Score: 0) by Anonymous Coward on Thursday July 30 2015, @05:41PM

      by Anonymous Coward on Thursday July 30 2015, @05:41PM (#215947)

      In 2015 people still use BIND? WTF.

      In fact you use it every day too I bet.

      It is one of those bits of software that 'just works'. Yes it is a massive pain to setup. But once setup the maintenance on it is pretty much upgrade the executables.

      Just because you use some other tool does not mean others dont use it.

      For example VB6. I have not seen it in ages. But I am sure there is some poor soul out there maintaining some project in it. Software does not 'go away'. It can linger for years.

      I use bind at home for my local setup. As it was the one I was most familiar with for setting up dns. Could I have used something else? Sure. But why bother? Its dns lookups...

      I have seen people recently working with centos 5.5. I have seen visual studio 2005. For some people 'just works' is all they want. They do not care about the latest and greatest.

    • (Score: 2) by zeigerpuppy on Thursday July 30 2015, @09:38PM

      by zeigerpuppy (1298) on Thursday July 30 2015, @09:38PM (#216033)

      Djbdns is a nice alternative (dbndns on Debian servers).

      It has a nice readable format and has been rock solid for me.
      Here's some links as a primer if you're thinking of switching.
      (the grumpy badger guide is awesome)

      http://www.xmarks.com/s/site/www.lifewithdjbdns.com/ [xmarks.com]

      • (Score: 0) by Anonymous Coward on Friday July 31 2015, @03:50AM

        by Anonymous Coward on Friday July 31 2015, @03:50AM (#216149)

        Used to use djb for recursive only (years ago). Today unbound is a better choice.

        For non-recursive, we have stuck with bind (most vulnerabilities in bind have been in the recursive bits).

  • (Score: 1, Funny) by Anonymous Coward on Thursday July 30 2015, @05:06PM

    by Anonymous Coward on Thursday July 30 2015, @05:06PM (#215937)

    Maybe it's someone who hijacked Janrinok's HTTP session using the BIND vulnerability, who now PWNs SN.

  • (Score: 2) by Subsentient on Thursday July 30 2015, @11:09PM

    by Subsentient (1111) on Thursday July 30 2015, @11:09PM (#216064) Homepage Journal

    Just apache, vsftpd, and OpenSSH. Lucky me.

    --
    "It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti