Check Point Advisories

BIND 9 DNS Server Dynamic Update Denial of Service (CVE-2009-0696)

Vulnerability
Protection

Check Point Reference:	CPAI-2009-219
Date Published:	2 Aug 2009
Severity:	High
Last Updated:	Sunday 07 February, 2016
Source:
Industry Reference:	CVE-2009-0696
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description	ISC BIND 9 contains a vulnerability that may allow a remote attacker to create a denial-of-service condition. The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). It includes support for dynamic DNS updates. BIND 9 can crash when processing a specially-crafted dynamic update packet. By sending a specially-crafted dynamic update packet to a BIND 9 server, a remote, unauthenticated attacker can cause a denial of service by causing BIND to crash. ISC notes that the vulnerability affects all servers that are masters for one or more zones (launching the attack against slave zones does not trigger the vulnerability) and is not limited to those that are configured to allow dynamic updates.

Protection Overview

This protection will detect and block DNS update requests for RR of type ANY.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

In the IPS tab, click Protections and find the BIND 9 DNS Server Dynamic Update Denial of Service protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: DNS Enforcement Violation.
Attack Information: BIND 9 DNS server dynamic update denial of service