The Internet Systems Consortium (ISC) has released updates or workarounds that address vulnerabilities in versions of ISC Dynamic Host Configuration Protocol (DHCP) and Berkeley Internet Name Domain (BIND). A remote attacker could exploit these vulnerabilities to cause a denial-of-service condition.
In the case of DHCP, a vulnerability stemming from failure to properly clean up closed OMAPI connections can lead to exhaustion of the pool of socket descriptors available to the DHCP server.
By intentionally exploiting this vulnerability an attacker who is permitted to establish connections to the OMAPI control port can exhaust the pool of socket descriptors available to the DHCP server.
Once exhausted, the server will not accept additional connections, potentially denying access to legitimate connections from the server operator. While the server will continue to receive and service DHCP client requests, the operator can be blocked from the ability to use OMAPI to control server state, add new lease reservations, etc.
The recommended remedy is to disallow access to the OMAPI control port from unauthorized clients (in accordance with best practices for server operation).
According to ISC, it has written a patch which properly cleans up closed socket connections and will include it in future maintenance releases of ISC DHCP.
Regarding BIND, Improper sequencing during cleanup can lead to a use-after-free error, triggering an assertion failure and crash in named.
If an operator is experiencing crashes due to this, temporarily disabling DNSSEC validation can be used to avoid the known problematic code path while replacement builds are prepared, said ISC.
ISC urges users to upgrade to the patched release most closely related to their current version of BIND.