Security Update (SDNS0501)

Issued: October 7th 2005

Problem: Denial of Service - A specially crafted DNS response packet will cause Simple DNS Plus to freeze and stop responding.

Impact of vulnerability: All features of Simple DNS Plus will be unavailable until the software is restarted. This includes DNS resolving and DNS/DHCP serving.

Affected versions: Simple DNS Plus v. 3.20.00-3.20.02, 3.50.00-3.50.01, 3.60.00-3.60.01, and 4.00.00-4.00.05.
To see which version of Simple DNS Plus you are running, select "About" from the "Help" menu in the main window.

Affected configuration: Recursion enabled (see Options dialog > Offer/Perform DNS recursion for...)
Even if recursion is enabled for LAN clients only, this vulnerability could still be exploited by indirectly causing a local user or system to perform a DNS lookup - for example through an HTML e-mail or web-page.

Recommendation: Users should apply the update or disable all recursion in Simple DNS Plus as soon as possible.
Please note that with recursion disabled, Simple DNS Plus can still be used for hosting DNS for your own domain names, but it will not resolve any other Internet domain names.

Support: If you have any questions or comments about this vulnerability and/or update, please contact us at support@simpledns.com

Acknowledgments: JH Software thanks Mr. Roy Arends, who discovered and reported this issue, for working with us responsibly to help protect users everywhere.

Update procedure for v. 4.00.00 - 4.00.05:
We recommend upgrading to the current version 5.0.
If you do not wish to upgrade at this time, please download and install v. 4.00.07 from http://www.simpledns.com/download-oldver.aspx.

Update procedure for v. 3.60.00 - 3.60.01:
We recommend upgrading to the current version 5.0.
If you do not wish to upgrade at this time, please update to v. 3.60.02 as follows:
1) Make sure that you have version 3.60.01 installed (select "About" from the "Help" menu in the main window). If not, download and install this from http://www.simpledns.com/download-oldver.aspx.
2) Download http://www.simpledns.com/outbox/su/36002/sdnsmain.exe to a temporary location
3) Stop Simple DNS Plus.
4) Copy the downloaded "sdnsmain.exe" file to the directory where Simple DNS Plus is installed, overwriting the original file.
5) Start Simple DNS Plus.

Update procedure for v. 3.50.00 - 3.50.01:
We recommend upgrading to the current version 5.0.
If you do not wish to upgrade at this time, please update to v. 3.50.02 as follows:
1) Make sure that you have version 3.50.01 installed (select "About" from the "Help" menu in the main window). If not, download and install this from http://www.simpledns.com/download-oldver.aspx.
2) Download http://www.simpledns.com/outbox/su/35002/sdnsmain.exe to a temporary location.
3) Stop Simple DNS Plus.
4) Copy the downloaded "sdnsmain.exe" file to the directory where Simple DNS Plus is installed, overwriting the original file.
5) Start Simple DNS Plus.

Update procedure for v. 3.20.00 - 3.20.02:
We recommend upgrading to the current version 5.0.
If you do not wish to upgrade at this time, please update to v. 3.20.03 as follows:
1) Make sure that you have version 3.20.02 installed (select "About" from the "Help" menu in the main window). If not, download and install this from http://www.simpledns.com/download-oldver.aspx.
2) Download http://www.simpledns.com/outbox/su/32003/sdnsmain.exe to a temporary location.
3) Stop Simple DNS Plus.
4) Copy the downloaded "sdnsmain.exe" file to the directory where Simple DNS Plus is installed, overwriting the original file.
5) Start Simple DNS Plus.

Add Feedback