The Grinch Comes Early for BIND Users

[vc_row][vc_column width=”2/3″][vc_column_text]The grinch showed up early for BIND users this year, in the form of two new critical security vulnerabilities that can crash BIND. The two vulnerabilities are:

• CVE-2015-8000

• CVE-2015-8461

ISC has released patches of its BIND software that correct the problem.

Users of BIND-based appliances from vendors such as Infoblox, Bluecat Networks, BT, Efficient IP, Radware and F5 are advised to contact their vendor for more information about the availability of a patch.

Secure64 products, which are not based on BIND, do not have these vulnerabilities.

[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”2518″ img_size=”500×600″][/vc_column][/vc_row]

When It Rains, It Pours. More BIND Vulnerabilities.

September 2, 2015 was not a good day for BIND users. Two new critical security vulnerabilities were announced today – both of them are remotely exploitable vulnerabilities that crash the server. The two vulnerabilities are:

CVE-2015-5986

CVE-2015-5722

ISC has release patches of its BIND software that correct the problem.

Users of BIND-based appliances from vendors such as Infoblox, Bluecat Networks, BT, Efficient IP, Radware and F5 are advised to contact their vendor for more information about the availability of a patch.

Secure64 products, which are not based on BIND, are not vulnerable to these security threats.

Secure64 DNS Products Not Vulnerable to BIND Security Flaw

On July 28, 2015, the Internet Systems Consortium reported a critical security vulnerability in BIND, CVE-2015-5477. This vulnerability, which affects both BIND recursive and authoritative servers, is caused by an error in the handling of TKEY queries, allowing a remote attacker to crash BIND by sending a deliberately constructed query.

This vulnerability is considered critical, as it cannot be prevented through ACLs or configuration options, and affects all versions of BIND 9 (BIND 9.1.0 through 9.10.2). Successful attacks on unpatched BIND servers can result in a loss of DNS service, potentially making an organization’s web, email and other internet-connected servers unreachable.

BIND users are strongly encouraged to patch their servers immediately, as attacks against the DNS servers have already been reported. BIND-based appliances are also vulnerable and should be patched – customers are encouraged to contact their vendors for additional patching information.

Secure64 DNS Cache and DNS Authority products, which are not based on BIND, do not contain this flaw, and do not require a patch to provide protection against these attacks.

Secure64 DNS Cache not vulnerable to recently announced resource exhaustion bugs

Secure64 has confirmed that its DNS Cache product is not vulnerable to the latest BIND Vulnerability bug announced by ISC on December 8, 2014. This BIND bug is categorized as severe and remotely exploitable, and is the 9th such vulnerability in the past 24 months. The announcements describe flaws in the BIND DNS resolver that could cause it to issue large numbers of queries to resolve names in maliciously constructed zones, leading to resource exhaustion and is exploitable to launch denial of service attacks.

The ISC vulnerability announcements can be found here:

ISC                           CVE-2014-8500                  https://kb.isc.org/article/AA-01216

Unlike some previous CVE’s, immediate patching is available for ISC BIND. Users of BIND-based appliances like Efficient IP, Infoblox and Bluecat should check the vendor web sites.

Bluecat: A support note is posted at https://www.bluecatnetworks.com/support/security_updates/2014

Secure64′s DNS Cache product is not susceptible to this vulnerability or any of the previously announced BIND vulnerabilities. DNS Cache limits the amount of resources that are consumed by the resolver under normal and attack conditions to remain available and responsive, even under resolver-targeted attacks.

DNS is arguably the most critical control point for every on-line business and IP based service. Secure64 is a software applications company enabling secure DNS services and is built upon the industry’s only genuinely secure platform. Secure64 DNS technology brings protection to over 180 Million on-line users, supports 85% of all internet reverse DNSSEC and is used by leading service providers, enterprises and government organizations.

For more information on Secure64′s DNS capabilities and the latest wave of potent DNS attacks please request the “Death by One Thousand Paper Cuts” white paper by clicking on the Contact Us button the home page of our website www.secure64.com and filling in the contact form.

FAQ for CVE-4854 – BIND Vulnerability

In order to help our customers with their DNS-related questions, we wrote this blog post regarding the recently announced BIND vulnerability, CVE-4854.

What happened?

ISC announced a critical vulnerability in the popular BIND DNS software. This might affect you.  BIND servers configured either as caching or authoritative are vulnerable. Read more

DNS Diversity

Every DNS administrator knows that you need to configure at least two recursive or authoritative DNS servers so that you can still provide service in case one fails. Many administrators also know that these servers ideally should be located in different data centers and utilize different networks so that DNS service will not be interrupted in the event of a data center or network outage. Read more