It’s Been Zero Days Since BIND9 Crashed
The Internet has done a fantastic job in fixing the latest vulnerabilities in BIND, but hundreds of thousands of BIND servers are still vulnerable to multiple CVEs. Read the article below and learn about the latest spiderSilk research.
Table of contents
Latest Vulnerabilities in BIND
What is BIND?
BIND (Berkeley Internet Name Domain) is a software suite that includes the most extensively used DNS (Domain Name System) server software in the world. This feature-rich DNS service and tools implementation aspires to be 100% standards-compliant and serves as a reference design for DNS software. BIND is a free and open-source software package that was created at the University of California's Berkeley campus in the 1980s. The Internet Systems Consortium maintains the most recent major version, BIND 9, which was first released in 2000. BIND is well suited to provide all DNS-related service functions for any sized network. You can run caching DNS servers, authoritative DNS servers, or both using BIND.
Latest Vulnerabilities in BIND
I won’t bore you with all of the ins and outs of DNS requests, as that is outside the scope of this article. What I will do instead is talk about some new vulnerabilities impacting BIND and how you can perform your own research using live Internet data.
By most accounts, BIND is considered a secure piece of software with most known bugs dating back to 1999 being of the Denial of Service type. Recently, however, four new flaws were announced in BIND impacting multiple versions, which we’ll take a brief look at right now:
When using forwarders, bogus NS records supplied by, or via, those forwarders may be cached and used by named if it needs to recurse for any reason, causing it to obtain and pass on potentially incorrect answers. Authoritative-only BIND 9 servers are not vulnerable to this flaw.
Some examples of configurations that will be vulnerable are:
-
Resolvers using per zone or global forwarding with “forward first” (forward first is the default).
-
Resolvers not using global forwarding, but with per-zone forwarding with either forward first (the default) or forward only.
-
Resolvers configured with global forwarding along with zone statements that disable forwarding for part of the DNS namespace.
CVSS: 6.2
- Impact: The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.
- Affected Versions:
-
BIND versions 9.11.0 -> 9.11.36, 9.12.0 -> 9.16.26, and 9.17.0 -> 9.18.0
-
BIND Supported Preview Editions 9.11.4-S1 -> 9.11.36-S1 and 9.16.8-S1 -> 9.16.26-S1
-
EOL versions of BIND back to 9.10 are likely vulnerable as well
-
ISC recently discovered an issue in BIND that allows TCP connection slots to be consumed for an indefinite time frame via a specifically crafted TCP stream sent from a client. This issue can only be triggered on BIND servers that have keep-response-order enabled, which is not the default configuration. The keep-response-order option is an ACL block; any hosts which are specified within it will be able to trigger this issue on affected versions.
CVSS: 4.9
- Impact: Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection.
- Affected Versions: BIND 9.16.11 to 9.16.26 (including S editions), and 9.18.0
The RFC 8198 Aggressive Use of DNSSEC-Validated Cache feature (synth-from-dnssec) was refactored for the new BIND 9.18.0 stable release and changed the default so that is now automatically enabled for dnssec-validating resolvers. Subsequently, it was found that repeated patterns of specific queries to servers with this feature enabled could cause an INSIST failure in query.c:query_dname which causes named to terminate unexpectedly. The vulnerability affects BIND resolvers that have both dnssec-validation and synth-from-dnssec enabled. (Note that dnssec-validation auto; is the default setting unless configured otherwise in named.conf and that enabling dnssec-validation automatically enables synth-from-dnssec unless explicitly disabled).
CVSS: 7.0
- Impact: When a vulnerable version of named receives a series of specific queries, the named process will eventually terminate due to a failed assertion check.
- Affected Versions: BIND 9.18.0
In BIND 9.18.0 the recursive client code was refactored. This refactoring introduced a "backstop lifetime timer". While BIND is processing a request for a DS record that needs to be forwarded, it waits until this processing is complete or until the backstop lifetime timer has timed out. When the resume_dslookup() function is called as a result of such a timeout, the function does not test whether the fetch has previously been shut down. This introduces the possibility of triggering an assertion failure, which could cause the BIND process to terminate.
CVSS: 7.0
- Impact: When the vulnerability is triggered the BIND process will exit.
- Affected Versions: BIND 9.18.0
Scanning methodology
Here at spiderSilk, we continuously scan the entire Internet proactively hunting for non-coded threats, misconfigurations and GitHub/GitLab/BitBucket source code leakages which impact your infrastructure. ZERO Setup, No tools to install and no software to run on your part, just log into our dashboard and reap the benefits of Resonance. Wondering about your exposure? Let’s schedule a complimentary external attack surface analysis!
And since we scan the Internet continuously, we tend to have good visibility into the software which powers the Internet. After hearing about these new vulnerabilities, we discovered 3,314,548 unique IP addresses which responded to our queries on port 53. If you’d like to replicate this research, just point zmap at 0.0.0.0/0 and grab yourself a coffee. The number of results in your dataset may vary from ours based on network conditions, firewalls, your IP reputation, etc.
Once you have the list of IP addresses collected which respond to your queries on port 53, you can obtain BIND version information rather easily by iterating over the list of IPs using dig:
Now that we have the data, we must sift through it and remove everything that isn’t BIND. And that list includes dnsmasq:
Unbound:
And the many errors that happen during testing:
And then there are other ways in which people like to obfuscate the version information of their resolvers:
And we absolutely cannot leave out the salty admins, though I’m skeptical malicious parties prowling the Internet are not going to heed this sage advice:
April 2022 Overview
Now we can start breaking this remaining data down into different versions so that we can associate them with the CVE they are potentially vulnerable to. I’m not going to bore you with all the grepping that we did, and there was a lot, but if you’re really interested, send me a message on Twitter and I’ll share some bits and pieces. Now as you can see from the graph below, there is no shortage of potentially vulnerable BIND servers on the Internet today.
Interesting results from our completely unscientific research into these four recent vulnerabilities in BIND9. In April 2022, we estimated there were:
- 316,122 (~9.54%) BIND9 servers potentially vulnerable to CVE-2021-25220
- 74,299 (~2.24%) BIND9 servers potentially vulnerable to CVE-2022-0396
- 535 (~0.0016%) BIND9 servers potentially vulnerable to both CVE-2022-0635 and CVE-2022-0667
Wow! Almost 10% of the Internet’s resolvers/nameservers are potentially vulnerable to cache poisoning! It’s important to note this research is based upon banner information only. We did not invasively probe the resolvers to test each of the particular vulnerabilities.
June 2022 Overview
Now that summer is here, let’s look at these numbers again and see if there has been any change. Our latest zmap data shows 3,375,335 IP addresses responding on port 53, an increase of 60,787 since our last check in April. Now let us see who is still vulnerable to these flaws after some time.
- 151,882 BIND9 servers are still potentially vulnerable to CVE-2021-25220, 48% of the total found in April.
- 17,953 BIND9 servers are still potentially vulnerable to CVE-2022-0396, 24% of the total found in April.
- 158 BIND9 servers are still potentially vulnerable to both CVE-2022-0635 and CVE-2022-0667, 29% of the total found in April.
The Internet has done a fantastic job, but not a perfect one of mitigating the risks from these bugs. Unfortunately, 169,993 Bind9 servers are still vulnerable to multiple CVE.
spiderSilk is re-imagining threat detection from a multi-solution, resource-intensive proposition today, to an automated, intelligent, cost-effective & easy to deploy one. Schedule a complimentary external attack surface analysis today and let us show you what Resonance has to offer with ZERO setup and 100% non-intrusive!
About the Author
Brian is a Senior Security Engineer with spiderSilk, an emerging leader in attack surface management and threat detection. Brian is an expert in his field and before coming to spiderSilk, helped launch OpenDNS Umbrella before they were acquired by Cisco. He has decades of experience in law enforcement, security research, and system administration. He has been awarded many CVE since 2016 for his research into Firefox, OpenSSL, cURL, PHP, Perl, and more!