Actualités Actualités

Multiple vulnerabilities in several DNS products

Home > Observatory and resources > News > Multiple vulnerabilities in several DNS products
12/22/2014

Discovered by Florian Maury, at the French Network and Information Security Agency (ANSSI), it is called “infinite recursion“.

It only affects DNS resolvers (and in certain circumstances, BIND software, even when it is on an authoritative server). It is present in several software systems, at least BIND (CVE-2014-8500), PowerDNS (CVE-2014-8601) and Unbound (CVE-2014-8602).

It does not seem to be present in the Microsoft Windows DNS resolver.

The vulnerability enables easy denial of service attack, which stops the operation of the resolver without committing extensive resources. It is therefore necessary for all DNS resolver managers to quickly update their software.

 

For BIND, upgrade to versions 9.9.6-P1 and 9.10.1-P1

<https://kb.isc.org/article/AA-01224/81/BIND-9.9.6-P1-Release-Notes.html>

<https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html>

 

For Unbound, upgrade to 1.5.1 “Fix CVE-2014-8602: denial of service by making resolver chase endless series of delegations”.

<https://unbound.nlnetlabs.nl/pipermail/unbound-users/2014-December/003663.html>

For PowerDNS, upgrade to 3.6.2, which was released several weeks ago.

<http://mailman.powerdns.com/pipermail/pdns-users/2014-December/011009.html>