Performance Effects of DNSSEC Validation - July 2022
On July 30, 2022, Petr Špaček spoke at the DNS-OARC38 conference about the performance effects of DNSSEC validation in BIND 9.Read post
The flaw allows remote execution of arbitrary commands by the shell if an attacker can cause data to be passed to the shell as the value of a shell environment variable.
Despite reports to the contrary saying that a 2011 change (CVE-2011-0997) to
dhclient prevents exploitation of this flaw, ISC has confirmed that the DHCP client provided as a part of ISC DHCP can be used to exploit the bash vulnerability if the operator of a rogue DHCP server passes a specially constructed value as the payload of a DHCP option field.
For this and many other reasons, all users running a vulnerable version of bash are advised to update to a secured version as quickly as possible.
Postscript: Readers will naturally want to know whether other ISC products can be used to exploit this condition. We know of no vulnerability in the ISC DHCP server or in BIND 9 that can be used as a vector to exploit the bash flaw. We nevertheless strongly recommend that the best course of action is to upgrade to a secure version of bash due to the seriousness of this flaw.
What's New from ISC