CVE-2014-8500: A Defect in Delegation Handling Can Be Exploited to Crash BIND

Refers to:

  • Plesk

Created:

2016-11-16 13:17:32 UTC

Modified:

2016-12-21 20:22:50 UTC

0

Was this article helpful?


Have more questions?

Submit a request

CVE-2014-8500: A Defect in Delegation Handling Can Be Exploited to Crash BIND

Failure to place limits on delegation chaining can allow an attacker to crash BIND or cause memory exhaustion.

Situation

By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND 9 uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation. This can lead to resource exhaustion and denial of service (up to and including termination of the named server process.).

Additional information: BIND: CVE-2014-8500: A Defect in Delegation Handling Can Be Exploited to Crash BIND

Impact

All recursive resolvers are affected. Authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone.

Solution

To close the vulnerability, BIND upgrade is required.

Call to Action

Upgrade BIND to the patched release most closely related to your current version. All the OS vendors already fixed bind packages in their OS repositories:

For CentOS/RedHat systems:

# yum update bind

For Debian/Ubuntu systems:

# apt-get install bind9

For a product installed in a Parallels Server Virtualization environment:

To update bind in all containers in a batch, please check article #123952

Parallels takes the security of our customers very seriously and encourages you to take the recommended actions as soon as possible.

We also strongly encourage you to stay connected to Parallels for important product-related information via these methods:

Have more questions? Submit a request
Please sign in to leave a comment.