BIND Control Channel Denial of Service


BIND (Berkeley Internet Name Domain) is a popular software for translating domain names into IP addresses and usually found on Linux servers. It is maintained by ISC (Internet Systems Consortium).

A denial-of-service vulnerability exists in BIND named service, as described by ISC:

BIND 9.11.0 introduced a new option to allow “read only” commands over the command channel. Using this restriction, a server can be configured to limit specified clients to giving control channel commands which return information only (e.g. “rndc status”) without affecting the operational state of the server. The defect described in this advisory, however, is not properly stopped by the “read only” restriction, in essence permitting a privilege escalation allowing a client which should only be permitted the limited set of “read only” operations to cause the server to stop execution.

The vulnerability has been assigned as CVE-2017-3138. A remote, authenticated attacker can exploit this vulnerability by sending a crafted control channel message. Successful attack will lead to termination of the BIND named service. Administrators are urged to upgrade BIND to latest releases.

Sonicwall provides protection against this threat via the following signature:

  • IPS sid:12732 “ISC BIND rndc Control Channel DoS”
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.