Check Point Advisories

BIND 9 DNS Server Dynamic Update Denial of Service - High Confidence (CVE-2009-0696)

Vulnerability
Protection

Check Point Reference:	CPAI-2013-1652
Date Published:	9 Apr 2013
Severity:	Critical
Last Updated:	Tuesday 09 April, 2013
Source:
Industry Reference:	CVE-2009-0696
Protection Provided by:	Security Gateway R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description	ISC BIND 9 contains a vulnerability that may allow a remote attacker to create a denial-of-service condition. The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). It includes support for dynamic DNS updates. BIND 9 can crash when processing a specially-crafted dynamic update packet. By sending a specially-crafted dynamic update packet to a BIND 9 server, a remote, unauthenticated attacker can cause a denial of service by causing BIND to crash. ISC notes that the vulnerability affects all servers that are masters for one or more zones (launching the attack against slave zones does not trigger the vulnerability) and is not limited to those that are configured to allow dynamic updates.

Protection Overview

This protection will detect and block DNS update requests for RR of type ANY.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

In the IPS tab, click Protections and find the BIND 9 DNS Server Dynamic Update Denial of Service - High Confidence protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: DNS Enforcement Violation.
Attack Information: BIND 9 DNS server dynamic update denial of service - High Confidence