Failure to place limits on delegation chaining can allow an attacker to crash BIND or cause memory exhaustion.
By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND 9 uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation. This can lead to resource exhaustion and denial of service (up to and including termination of the named server process.).
Additional information: BIND: CVE-2014-8500: A Defect in Delegation Handling Can Be Exploited to Crash BIND
All recursive resolvers are affected. Authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone.
To close the vulnerability, BIND upgrade is required.
Call to Action
Upgrade BIND to the patched release most closely related to your current version. All the OS vendors already fixed
bind packages in their OS repositories:
For CentOS/RedHat systems:
# yum update bind
For Debian/Ubuntu systems:
# apt-get install bind9
For a product installed in a Parallels Server Virtualization environment:
bind in all containers in a batch, please check article #123952
Parallels takes the security of our customers very seriously and encourages you to take the recommended actions as soon as possible.
We also strongly encourage you to stay connected to Parallels for important product-related information via these methods: