• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Vulnerabilities   »   A Look at the BIND Vulnerability: CVE-2016-2776

A Look at the BIND Vulnerability: CVE-2016-2776

  • Posted on:October 12, 2016 at 7:31 pm
  • Posted in:Vulnerabilities
  • Author:
    Suraj Sahu (Vulnerability Research Engineer)
0

On September 27, the Internet Systems Consortium (ISC) announced the release of patches for a critical vulnerability that would allow attackers to launch denial-of-service (DoS) attacks using the Berkeley Internet Name Domain (BIND) exploits. The critical error was discovered during internal testing by the ISC. BIND is a very popular open-source software component that implements DNS protocols. It is also known as the de facto standard for Linux and other Unix-based systems, which means a vulnerability can impact a vast amount or servers and applications. Emphasis is placed on the BIND vulnerability as it could lead to DoS attacks that could impact organizations by disabling, shutting down, or disrupting a service, network, or website. The effects of a DoS attack could range from financial loss and reputation damage to lawsuits and customer attrition.

Reports of active attacks were posted on October 5, shortly after a proof-of-concept (PoC) was released on October 1. The vulnerabilities affect BIND9 versions including 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3.

What’s the vulnerability?

Designated as CVE-2016-2776, this particular vulnerability can be triggered when a DNS server constructs a response to a crafted query where the response size crosses the default DNS response size 512. ISC has fixed two vulnerable functions dns_message_renderbegin () and dns_message_rendersection() to address this vulnerability.

  • dns_message_renderbegin (): This function ensures the enough space is available for server response message.

figure1-bind-vulnerability

Figure 1: Patch diff of message.c file

  • dns_message_rendersection(): To render each of the record from Question, Answer, Authority and Additional into the buffer.

When a DNS server constructs a response for a DNS Query, it reserves the space in the response buffer (of size 512 by default), it will increment the msg->reserved by the size required for Answer RR. The size also adds up in msg->reserved size, which would be the same if the response buffer has other Resource Records.

Before patching, the server does not take fixed 12-byte DNS headers into consideration, which also adds to the response traffic after rendering the Resource Records from Query through function dns_message_rendersection(). So if the DNS response(r.length) traffic is less than 512 bytes (msg->reserved), the function will return true, but adding the fixed 12-byte header will cause the service to terminate if it exceeds the fixed reserved size of 512 bytes.

The patch enables servers to decrease the DNS header length from the total response length by 12 bytes. It then compares it to the reserved buffer size to ensure correct calculations for response size.

Trend Micro Solutions 

Given the impact of a DoS attack on businesses and services, immediate patching of BIND servers is highly recommended.

Trend Micro Deep Security™ provides protection from any threats that may target this vulnerability via the following DPI rule:

  • 1007972—ISC BIND Assertion Failure Denial of Service Vulnerability (CVE-2016-2776)

TippingPoint customers are protected from attacks exploiting this vulnerability with the following Mainline DV filters:

  • 25235: DNS: ISC BIND buffer.c Denial-of-Service Vulnerability
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: Berkeley Internet Name DomainBINDDoSInternet Systems Consortium

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.