Two BIND 9 Security Vulnerabilities Announced Today
ISC is releasing updated versions of BIND 9 to address two newly-discovered security vulnerabilities We have released new versions of BIND: 9.Read post
The flaw allows remote execution of arbitrary commands by the shell if an attacker can cause data to be passed to the shell as the value of a shell environment variable.
Despite reports to the contrary saying that a 2011 change (CVE-2011-0997) to
dhclient prevents exploitation of this flaw, ISC has confirmed that the DHCP client provided as a part of ISC DHCP can be used to exploit the bash vulnerability if the operator of a rogue DHCP server passes a specially constructed value as the payload of a DHCP option field.
For this and many other reasons, all users running a vulnerable version of bash are advised to update to a secured version as quickly as possible.
Postscript: Readers will naturally want to know whether other ISC products can be used to exploit this condition. We know of no vulnerability in the ISC DHCP server or in BIND 9 that can be used as a vector to exploit the bash flaw. We nevertheless strongly recommend that the best course of action is to upgrade to a secure version of bash due to the seriousness of this flaw.
What's New from ISC