BIND Control Channel Denial of Service

April 28, 2017

BIND (Berkeley Internet Name Domain) is a popular software for translating domain names into IP addresses and usually found on Linux servers. It is maintained by ISC (Internet Systems Consortium).

A denial-of-service vulnerability exists in BIND named service, as described by ISC:

BIND 9.11.0 introduced a new option to allow "read only" commands over the command channel. Using this restriction, a server can be configured to limit specified clients to giving control channel commands which return information only (e.g. "rndc status") without affecting the operational state of the server. The defect described in this advisory, however, is not properly stopped by the "read only" restriction, in essence permitting a privilege escalation allowing a client which should only be permitted the limited set of "read only" operations to cause the server to stop execution.

The vulnerability has been assigned as CVE-2017-3138. A remote, authenticated attacker can exploit this vulnerability by sending a crafted control channel message. Successful attack will lead to termination of the BIND named service. Administrators are urged to upgrade BIND to latest releases.

Sonicwall provides protection against this threat via the following signature:

  • IPS sid:12732 "ISC BIND rndc Control Channel DoS"