CVE-2016-1285: BIND Denial of Service

March 16, 2016 — Leave a comment

If you’re running a nameserver using BIND, you likely want to update before someone zeros in on you causing named to crash.

From Red Hat’s errata:
“A denial of service flaw was found in the way BIND processed certain control channel input. A remote attacker able to send a malformed packet to the control channel could use this flaw to cause named to crash.”

So, if an attacker were able to get named to crash on each of your nameservers, they could (in essence) take down your entire network – anything attached to your domain name.

This affects Red Hat / CentOS 5, 6 and 7 and patches should be readily available through the normal mirrors.

How to update and verify you are safe

To find out if you have an update, you can use yum to query your package and the repos to see if one exists yet:

If there’s a new version available (likely the one listed below in ‘patched versions’), then you can update to the new version like:

After updating, you can verify that your version of bind is updated / patched for this particular problem by checking the changelog for your installed version:


Patched versions:

Red Hat / CentOS 5:

Red Hat / CentOS 5 Bind 97:

Red Hat / CentOS 6:

Red Hat / CentOS 7:

More info

https://kb.isc.org/article/AA-01352
https://lists.centos.org/pipermail/centos-announce/2016-March/thread.html
https://access.redhat.com/security/cve/cve-2016-1285




No Comments

Be the first to start the conversation.

Leave a Reply