Early Vulnerability Notification (EVN)

Up to five days' advance notice

One software vulnerability can enable a successful denial of service attack, disabling critical network services.

Most of the vulnerabilities discovered in BIND 9 are ways to trigger INSIST or ASSERT failures, which cause BIND to exit. When an external user can reliably cause the BIND process to exit, that is a very effective denial of service (DoS) attack. Nanny scripts can restart BIND 9, but in some cases it may take hours to reload, and the server is vulnerable to being shut down again.

Any vulnerability that caused an interruption in your Kea DHCP service, could cause cascading failures on your network as existing leases expire and devices fail to acquire new leases.

Why take unnecessary risk? Protect yourself and your organization by subscribing to ISC’s EVN service.

This annual subscription-based service protects your BIND, Kea and Stork servers.

Vulnerability notification is included in all of our software support subscriptions. We also will sell just the vulnerability notification, without technical support, for an annual fee. You may designate up to four individuals to be notified in the event of a security vulnerability. Your organization will receive notification before the general public, with a patch or patched version of BIND three days prior to any public announcement.

Please note that EVN requires execution of a Non-Disclosure Agreement, to protect both ISC and its customers.

How Does the EVN Work?

ISC follows a careful, published process for handling all serious reported issues.

We are usually able to handle BIND 9 vulnerabilities with our managed disclosure process.*

When a vulnerability is discovered, either through our own testing or by a private report to ISC, we first verify the problem and then we work around the clock to address it. Once we have a solution, we schedule a coordinated public announcement. As much as five days (and at least 3 business days) BEFORE the public announcement, we notify our subscribers of the problem, individually and privately, and offer them a revised version of the software that fixes the problem.

If you are running a current version of a major operating system, we have a restricted-access repository for our subscribers, where we update the packages for you.

* In some cases, a vulnerability is disclosed publicly by the reporter, in which case we are not able to manage the disclosure.

You can protect your core network applications. Contact us to find out how.

How Often Are There Vulnerabilities in BIND 9?

BIND 9 is not on the list of the top 50 software applications as far as reported security vulnerabilities, but we do typically learn of 4-5 new serious vulnerabilities every year. Most of the new vulnerabilities discovered have been in the software for years, but they are exposed by new software “fuzz testing” techniques that can hammer the software with random malformed messages until one impairs the server’s function. Even if an existing vulnerability has never been used in an Internet attack, it is still important to update BIND 9 servers to prevent future abuse.

The website cvedetails.com displays information on past vulnerabilities by vendor and product. ISC maintains the original announcements in our Knowledgebase, along with a matrix showing which vulnerabilities apply to which BIND 9 releases.

Your subscription helps to sustain ISC’s open source efforts!