CVE-2010-0218 ISC BIND Denial of Service and Security Bypass Vulnerabilities

ISC BIND (Berkley Internet Domain Name) is an implementation of DNS protocols.

Two vulnerabilities exist in BIND:

1) An error may allow access to the cache via recursion even though an ACL disallows it.

2) An error when processing records from an authoritative server during DNSSEC query validation can be exploited to cause a server to crash via a bad signature in the response.

Successful exploitation requires BIND running as both authoritative and recursive DNS server in the same view and also requires BIND to be configured as a DNSSEC validating server with multiple trust anchors configured for the same zone.

Affected Versions:
BIND Versions 9.7.2 and 9.7.2-P1 are vulnerable.

The vulnerability can be exploited by malicious users to bypass certain restrictions or cause a denial of service.

Upgrade to BIND to 9.7.2-P2 to resolve this issue.

Refer to BIND 9.7.2 Release Notes for further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

BIND 9.7.2-P2 (BIND 9.7.2-P2)