The Internet Systems Consortium (ISC) is reporting a major vulnerability in BIND 9, with an apparent exploit in the wild. According to the announcement, servers running BIND 9 and performing recursive queries should upgrade immediately.
The actual exploit for this vulnerability is not yet reported. ISC says that it will cause a resolver to cache an invalid record, then crash when responding to queries that request that record.
If BIND has crashed due to the flaw, ISC says it should log an error in query.c with the message “INSIST(! dns_rdataset_isassociated(sigrdataset)).”
The ISC does not yet know the actual cause of the vulnerability, but has a patch that deals with the symptom of the exploit. The vulnerability affects multiple versions of BIND, and ISC has produced patches for BIND 9.8.1, 9.7.4, 9.6 and 9.4. Versions 9.2.x and earlier may be unaffected due to an older implementation of DNSSEC.
The announcement from ISC has links to the patches, and many vendors have already produced updates that incorporate the patches. If you’re running affected versions of BIND 9, upgrade immediately.
