A Look at the BIND Vulnerability: CVE-2016-2776

On September 27, the Internet Systems Consortium (ICS) announced the release of patches for a critical vulnerability that would allow attackers to launch denial-of-service (DoS) attacks using the Berkeley Internet Name Domain (BIND) exploits. The critical error was discovered during internal testing by the ISC. BIND is a very popular open-source software component that implements DNS protocols. It is also known as the de facto standard for Linux and other Unix-based systems, which means a vulnerability can impact a vast amount or servers and applications. Emphasis is placed on the BIND vulnerability as it could lead to DoS attacks that could impact organizations by disabling, shutting down, or disrupting a service, network, or website. The effects of a DoS attack could range from financial loss and reputation damage to lawsuits and customer attrition.

Reports of active attacks were posted on October 5, shortly after a proof-of-concept (PoC) was released on October 1. The vulnerabilities affect BIND9 versions including 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3.

What’s the vulnerability?

Designated as CVE-2016-2776, this particular vulnerability can be triggered when a DNS server constructs a response to a crafted query where the response size crosses the default DNS response size 512. ISC has fixed two vulnerable functions dns_message_renderbegin () and dns_message_rendersection() to address this vulnerability.

dns_message_renderbegin (): This function ensures the enough space is available for server response message.

Figure 1: Patch diff of message.c file

dns_message_rendersection(): To render each of the record from Question, Answer, Authority and Additional into the buffer.

When a DNS server constructs a response for a DNS Query, it reserves the space in the response buffer (of size 512 by default), it will increment the msg->reserved by the size required for Answer RR. The size also adds up in msg->reserved size, which would be the same if the response buffer has other Resource Records.

Before patching, the server does not take fixed 12-byte DNS headers into consideration, which also adds to the response traffic after rendering the Resource Records from Query through function dns_message_rendersection(). So if the DNS response(r.length) traffic is less than 512 bytes (msg->reserved), the function will return true, but adding the fixed 12-byte header will cause the service to terminate if it exceeds the fixed reserved size of 512 bytes.

The patch enables servers to decrease the DNS header length from the total response length by 12 bytes. It then compares it to the reserved buffer size to ensure correct calculations for response size.

Trend Micro Solutions

Given the impact of a DoS attack on businesses and services, immediate patching of BIND servers is highly recommended.

Trend Micro Deep Security™ provides protection from any threats that may target this vulnerability via the following DPI rule: