ISC fixes three critical vulnerabilities in BIND9

• The security updates released by ISC patched three denial-of-service vulnerabilities present in the DNS software.
• Among the vulnerabilities, one of the flaws has been given a severity rating of high while the other two has been rated as medium.

The Internet Systems Consortium (ISC) has released new security updates which fix three denial-of-service (DoS) vulnerabilities in its DNS software BIND. The security flaws existed in the BIND9 variant of the software. All these flaws could crash BIND9 from working thus ceasing service to clients.

What are the flaws?

• The first one, CVE-2018-5743, is a high-severity flaw which does not limit the number of TCP client connections. Attackers could abuse this flaw to drastically increase the number of connections thus resulting in a DoS condition. The flaw was due to an error in the code written for limiting the simultaneous connections. Main versions affected by this flaw are BIND 9.9.0 to 9.10.8-P1, 9.11.0 to 9.11.6, 9.12.0 to 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 to 9.11.5-S3, and 9.11.5-S5.
• The second flaw, CVE-2019-6468, is the result of a coding error in a feature known as ‘nxdomain-redirect’. This is applicable to BIND versions which support EDNS Client Subnet (ECS) features. Enabling the redirect feature in these BIND versions could allow attackers to crash BIND. Versions affected are BIND Supported Preview Edition, 9.10.5-S1 to 9.11.5-S5.
• The third flaw, CVE-2019-6467, is also the result of a coding error in nxdomain-redirect. The server involved in redirection either produces a local copy of the root zone or uses mirroring to provide the root zone, due to the flaw. Versions affected are BIND 9.12.0 to 9.12.4 and 9.14.0.

Mitigation Measures

Users and admins of BIND9 are advised to go through the security advisories mentioned above for details, and accordingly, update their software to resolve the vulnerabilities.