Palo Alto Networks Releases Signature for BIND 9 Vulnerability

This week started off with a bang when a vulnerability in BIND was accidentally disclosed earlier than expected. BIND is an open source and extremely popular DNS software solution that is used world-wide. The vulnerability, CVE-2011-2464 (link), can lead to a denial of service against DNS by sending a specially crafted packet to the DNS server. This presents an obvious risk in that the attack only requires a single packet, and DNS servers are required to accept incoming requests in order to do their job. As of the time of writing we are unaware of other security vendors providing signatures for this vulnerability.  There are no workarounds for the affected versions of BIND and Internet System Consortium (ISC), the organization responsible for BIND, recommends users upgrade to versions 9.6-ESV-R4-P3, 9.7.3-P3 or 9.8.0-P4.

Palo Alto Networks has developed a signature for this vulnerability and has been rolled out to customers. It is strongly recommended that customers apply the content update #255 released on July 7, 2011, which includes the signature for CVE-2011-2464. The ID for the signature is 34216 and the default severity is “high”. We recommend that customers set block actions for this and other high and critical vulnerabilities.

As always, Palo Alto Networks strives to provide the fastest coverage possible for critical new vulnerabilities. Situations such as these where AusCERT accidentally discloses a vulnerability early is thankfully a rare occurrence, but even so, mistakes do happen and provide an ideal opportunity to evaluate the responsiveness of your security vendor.