The Internet Systems Consortium has released security updates for BIND, the most widely used Domain Name System (DNS) software on the Internet, and a patch for ISC DHCP, its open source software that implements the Dynamic Host Configuration Protocol for connection to an IP network.
The BIND update should be implemented as soon as possible: the vulnerability (CVE-2017-3145) can lead to denial-of-service and crash, and instances of that happening have been reported by multiple parties.
“BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash innamed [name daemon],” the ISC explained the problem.
“While this bug has existed in BIND since 9.0.0, there are no known code paths leading to it in ISC releases prior to those containing the fix for CVE-2017-3137. Thus while all instances of BIND ought to be patched, only ISC versions [9.9.9-P8 to 9.9.11, 9.10.4-P8 to 9.10.6, 9.11.0-P5 to 9.11.2, 9.9.9-S10 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, and 9.12.0a1 to 9.12.0rc1] acting as DNSSEC validating resolvers are currently known to crash due to this bug. The known crash is an assertion failure in netaddr.c [a library in the daemon].”
Users are advised to upgrade to the patched release most closely related to their current version of BIND.
Alternatively, there’s also a workaround for mitigating the BIND issue: if an operator is experiencing crashes due to this, temporarily disabling DNSSEC validation can be used to avoid the known problematic code path.
ISC DHCP patch
The DHCP issue is a vulnerability (CVE-2017-3144) stemming from failure to properly clean up closed OMAPI connections.
“By intentionally exploiting this vulnerability an attacker who is permitted to establish connections to the OMAPI control port can exhaust the pool of socket descriptors available to the DHCP server,” the security advisory explains.
“Once exhausted, the server will not accept additional connections, potentially denying access to legitimate connections from the server operator. While the server will continue to receive and service DHCP client requests, the operator can be blocked from the ability to use OMAPI to control server state, add new lease reservations, etc.”
Effectively, this could lead to a denial-of-service condition.
While a patch has been released and is available on request, users are urged to implement the offered workaround instead.
“The workaround of denying OMAPI connections from unauthorized client addresses should be sufficient in almost all cases and is a recommended best practice for server operation,” the ISC noted.
The patch will be included in future maintenance releases of ISC DHCP.