BIND is being updated under CVE-2011-1910 (CVSS Score: 7.8) due to a buffer size check error revealed over the past weekend.

A negative cache is setup by BIND to improve performance. In other words a negative response like “NXDOMAIN” or “NODATA/NOERROR” can be saved for reference and better response time. Sending a very large set of resource records associated with a name (RRSet) in a negative response can cause an off-by-one error (OBOE) and crash named, resulting in a denial of service condition.

The nature of this vulnerability would allow remote exploit. An attacker can set up a DNSSEC signed authoritative DNS server with large RRSIG RRsets to act as the trigger. The attacker would then find ways to query an organization’s caching resolvers for non-existent names in the domain served by the bad server, getting a response that would “trigger” the vulnerability. The attacker would require access to an organization’s caching resolvers; access to the resolvers can be direct (open resolvers), through malware (using a BOTNET to query negative caches), or through driving DNS resolution (a SPAM run that has a domain in the E-mail that will cause the client to perform a lookup).