Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: BIND 9 Update fixing CVE-2013-3919 - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
BIND 9 Update fixing CVE-2013-3919
Today BIND9 recevied an update fixing a "recursive resolver with a RUNTIME_CHECK error in resolver.c" [1] Affected versions are BIND 9.6-ESV-R9, 9.8.5, and 9.9.3. The rated CVSS on this one is 7.8 [1,2]
To quote
"At the time of this advisory no intentional exploitation of this bug has been observed in the wild. However, the existence of the issue has been disclosed on an open mailing list with enough accompanying detail to reverse engineer an attack and ISC is therefore treating this as a Type II (publicly disclosed) vulnerability, in accordance with our Phased Disclosure Process."
It it is time to review those BIND9 servers and start the process of patching.

Richard Porter

--- ISC Handler on Duty


173 Posts
ISC Handler
Jun 5th 2013
We've seen a dramatic up tick in Bind/DNS version attempts. They usually come from the same IP addresses, repeatedly. This has been going on for about the last 3-4 days. Any one else seeing similar traffic? I'm wondering if it is related.
Beave! I just came here looking for hints about the same thing:
21x from
20x from
19x from

Since DNS is a stateless protocol, wouldn't it be easier to just try an exploit than to do a version check first?

I can't imagine CVE-2013-3919 (a mere DoS) being all that interesting to someone doing widespread scans - you would usually have specific target for that - so maybe this relates to something older?
Steven C.

171 Posts

Sign Up for Free or Log In to start participating in the conversation!