A New DNS Vulnerability

A new DNS vulnerability was found in BIND yesterday, CVE-2012-5688. It is listed as a critical vulnerability.

This adds to the list of major vulnerabilities discovered in BIND. Since February of 2011, a new high vulnerability has been found on average every 60 days. This is a worrisome trend for DNS administrators concerned with the increasing sophistication and level of attacks. None of these vulnerabilities have affected Secure64 DNS servers.

Vulnerability BIND Exploitability Secure64 Exploitability
CVE-2012-5688 DNS64 Query – December 4, 2012 High None
CVE-2012-5166 Named lockup – Oct0ber 9, 2012 High None
CVE-2012-4244 Large RDATA – September 12, 2012 High None
CVE-2012-3868 TCP load – July 24, 2012 High None
CVE-2012-3817 DNSSEC assert – July 24, 2012 High None
CVE-2012-1667 Zero length rdata – June 4, 2012 High None
CVE-2011-4313 query.c crash – November 16, 2011 High None
CVE-2011-2464 Remote Dos packet – July 5, 2011 High None
CVE-2011-1910 Large crash – May 26, 2011 High None
CVE-2011-1907 RPZ – May 5, 2011 High None
CVE-2011-0414 IXFR crash – February 22, 2011 High None

Every software product has issues and clever people will find loop holes. That is why it is more important than ever to make sure a strong product is in place. It is also advisable to have diversity in place. Over 75% of the world’s DNS servers run BIND. This makes it a big target. People know BIND well and seem to be able to frequently find an exploit.

These frequent vulnerabilities provide a solid reason to look at diversifying the code base used to manage DNS Servers. Secure64 offers highly secure solutions for supporting DNS that is diverse from BIND.