Internet Systems Consortium (ISC) issued a security bulleting describing a critical flaw in BIND software. The vulnerability allows attackers to disrupt the system and affect other services relying on DNS infrastructure.
The vulnerability, identified as CVE-2013-2266, affects only versions of BIND for Unix/Linux-based systems, namely 9.7.x, 9.8.0 - 9.8.5b1 and 9.9.0 - 9.9.3b1. Versions for OS Windows are not vulnerable to his issue.
“The function containing the exploitable defect depends on system libraries and header files that are present only on “Unix-like” operating systems; if the libraries don't exist on a platform the function is compiled out. Consequently, Windows versions of BIND 9 are not affected by this vulnerability,” – stated security experts.
The vulnerability is exploited when sending specially created requests, which results in excessive memory consumption in named or other programs linked to libdns, server abort and opening access to other data contained on the attacked server.
