DNS Vulnerabilities

The information on this page may be obsolete. For the current documentation, please log into the mySAINT portal using your customer login and password. Updated 06/30/17

Impact

This document covers several BIND vulnerabilities that malicious users can exploit to gain unauthorized, privileged access to target machines, disrupt service on target machines, or launch DNS spoofing attacks.

Background

The Berkeley Internet Name Daemon (BIND) is an implementation of the Domain Name Service (DNS) written primarily for UNIX Systems. BIND consists of three parts:

DNS Servers generally fall into one of two categories: The DNS Security Extensions (DNSSEC) add security features to the DNS. All domain name responses in DNSSEC-enabled DNS systems are digitally signed so the DNS server and the DNS client are able to verify the data by signing each response record using a public key.

The Problems


BIND fixed two vulnerabilities in TSIG authentication

06/30/17
CVE 2017-3142
CVE 2017-3143
BIND 9.4.0 through 9.8.8, 9.9.0 through 9.9.10-P1, 9.10.0 through 9.10.5-P1, 9.11.0 through 9.11.1-P1, 9.9.3-S1 through 9.9.10-S2, and 9.10.5-S1 through 9.10.5-S2 are affected by two vulnerabilities, which could allow unauthorized user to bypass TSIG authentication to transfer or update zone contents.


BIND installer on Windows vulnerability

06/15/17
CVE 2017-3141
BIND 9.2.6-P2 through 9.2.9, 9.3.2-P1 through 9.3.6, 9.4.0 through 9.8.8, 9.9.0 through 9.9.10, 9.10.0 through 9.10.5, 9.11.0 through 9.11.1, 9.9.3-S1 through 9.9.10-S1, and 9.10.5-S1 are affected by a vulnerability, which could allow a local user to achieve privilege escalation if the host file system permissions allow this. The vulnerability exists because the BIND installer on Windows uses an unquoted service path.


Response Policy Zones (RPZ) denial of service

06/15/17
CVE 2017-3140
BIND 9.9.10, 9.10.5, 9.11.0 through 9.11.1, 9.9.10-S1, 9.10.5-S1 are affected by a vulnerability, which could result in a denial of service. The vulnerability exists due to flaw in the way BIND handled processing Response Policy Zones (RPZ) rules.


BIND DNSSEC assertion failure

05/10/17
CVE 2017-3139
BIND versions as shipped with Red Hat Enterprise Linux 6 are affected by a vulnerability, which could result in a denial of service. The vulnerability exists due to flaw in the way BIND handled DNSSEC validation.


DNS64 assertion failure

04/14/17
CVE 2017-3136
A vulnerability in BIND when using DNS64 could allow an attacker to construct a query which causes an assertion failure, leading to a denial of service. The break-dnssec option must be enabled in order for the vulnerability to be exploited.

BIND 9.8.0 through 9.8.8-P1, 9.9.0 through 9.9.9-P6, 9.9.10b1 through 9.9.10rc1, 9.10.0 through 9.10.4-P6, 9.10.5b1 through 9.10.5rc1, 9.11.0 through 9.11.0-P3, 9.11.1b1 through 9.11.1rc1, and 9.9.3-S1 through 9.9.9-S8 are affected by this vulnerability.


CNAME and DNAME ordering denial of service

04/14/17
CVE 2017-3137
A vulnerability in BIND could allow an attacker to cause an assertion failure in a server which is performing recursion. The attacker would need to be able to cause the server to receive a response containing CNAME or DNAME resource records with certain ordering.

BIND 9.9.9-P6, 9.9.10b1 through 9.9.10rc1, 9.10.4-P6, 9.10.5b1 through 9.10.5rc1, 9.11.0-P3, 9.11.1b1 through 9.11.1rc1, and 9.9.9-S8 are affected by this vulnerability.


Control channel null command string vulnerability

04/14/17
CVE 2017-3138
BIND is affected by a denial-of-service vulnerability if the control channel is configured. An attacker who sends a null command string to the control channel can trigger a REQUIRE assertion failure, causing the service to terminate. The attacker must reside on a host which is within the ACL permitted access to the control channel in order to exploit the vulnerability.

BIND 9.9.9 through 9.9.9-P7, 9.9.10b1 through 9.9.10rc2, 9.10.4 through 9.10.4-P7, 9.10.5b1 through 9.10.5rc2, 9.11.0 through 9.11.0-P4, 9.11.1b1 through 9.11.1rc2, and 9.9.9-S1 through 9.9.9-S9 are affected by this vulnerability.


Some configurations in BIND can lead the target to crash

02/09/17
CVE 2017-3135
ISC BIND 9.8.8, 9.9.3-S1 through 9.9.9-S7, 9.9.3 through 9.9.9-P5, 9.9.10b1, 9.10.0 through 9.10.4-P5, 9.10.5b1, 9.11.0 through 9.11.0-P2, and 9.11.1b1, are prone to denial of service attacks. Some configurations using both DNS64 and RPZ can lead to an INSIST assertion failure or a NULL pointer read, which causes the process to be terminated.


Multiple vulnerabilities fixed in 9.9.9-P5, 9.10.4-P5, and 9.11.0-P2

01/12/17
CVE 2016-9131
CVE 2016-9147
CVE 2016-9444
CVE 2016-9778
Multiple assertion failure during recursion which could lead to denial of service to clients are fixed in ISC BIND:


Assertion Failure in db.c or resolver.c denial of service vulnerability

11/02/16
CVE 2016-8864
ISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.9-P3, 9.9.3-S1 through 9.9.9-S6, 9.10.0 through 9.10.4-P4, and 9.11.0, are prone to denial of service attack. The vulnerability exists due to BIND's handling of responses containing a DNAME answer. A server encountering an assertion error in db.c or resolver.c will stop, resulting in denial of service.


Malformed options can trigger an assertion failure in ISC Bind

10/24/16
CVE 2016-2848
ISC BIND 9.1.0 through 9.8.4-P2 and 9.9.0 through 9.9.2-P2 allows remote attackers to cause a denial of service ( assertion failure and daemon exit) via malformed options data in an OPT resource record.


Assertion Failure in buffer.c While Building Responses to a Specifically Constructed Request

09/27/16
CVE 2016-2776
ISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.9-P2, 9.9.3-S1 through 9.9.9-S3, 9.10.0 through 9.10.4-P2, 9.11.0a1 through 9.11.0rc1 are prone to denial of service attack. The vulnerability exists due to a flaw in the rendering of messages into packets when a nameserver is constructing a response to a query that meets certain criteria.


A query name which is too long can cause a segmentation fault in lwresd

07/29/16
CVE 2016-2775
ISC BIND 9.0.x through 9.9.9-P1, 9.10.0 through 9.10.4-P1, 9.11.0a3 through 9.11.0b1 are prone to denial of service attack. The vulnerability exists due to an error in lwresd utility when a query name exceeds the maximum allowable length.


Malicious primary DNS servers can crash secondaries

07/08/16
CVE 2016-6170
ISC BIND through 9.10.4-P1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response, and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message.


Servers with DNS cookie support enabled vulnerability

03/11/16
CVE 2016-2088
resolver.c in named in ISC BIND 9.10.x before 9.10.3-P4, when DNS cookies are enabled, allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed packet with more than one cookie option.


Two denial of service vulnerabilities fixed in ISC BIND

03/10/16
CVE 2016-1285
CVE 2016-1286


REQUIRE assertion failure in rdataset.c

03/03/16
CVE 2016-1284
rdataset.c in ISC BIND 9 Supported Preview Edition 9.9.8-S before 9.9.8-S5, when nxdomain-redirect is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via crafted flag values in a query.


Two denial of service vulnerabilities

01/22/16
CVE 2015-8704
CVE 2015-8705
ISC BIND are affected by two vulnerabilities. First, ISC BIND versions 9.3.0 through 9.8.8, 9.9.0 through 9.9.8-P2, 9.9.3-S1 through 9.9.8-S3, and 9.10.0 through 9.10.3-P2, are vulnerable due to a buffer overflow and cause named to exit with an INSIST failure in apl_42.c. Second, ISC BIND versions 9.10.0 through 9.10.3-P2 are vulnerable due to errors in converting OPT resource records and ECS options to text format, which may result in a REQUIRE assertion failure in buffer.c.


A race condition vulnerability when handling socket errors

12/16/15
CVE 2015-8461
ISC BIND versions 9.9.8 through 9.9.8-P1, 9.9.8-S1 through 9.9.8-S2, 9.10.3 through 9.10.3-P1 are prone to denial of service attacks. The vulnerability exists due to a flaw in BIND 9 which can cause a server to exit after encountering an INSIST assertion failure in resolver.c.


An assertion failure in db.c

12/16/15
CVE 2015-8000
ISC BIND versions 9.0.x through 9.9.8-P1, 9.10.0 through 9.10.3-P1 are prone to denial of service attacks. The vulnerability exists due to a flaw in the parsing of incoming responses with a malformed class attribute. An attacker who can cause a server to request a record with a malformed class attribute can use this vulnerability to trigger a REQUIRE assertion in db.c, causing named to exit and denying service to clients.


REQUIRE assertion failure vulnerability

09/03/15
CVE 2015-5986
ISC BIND versions 9.9.7 through 9.9.7-P2 and 9.10.2 through 9.10.2-P3 are prone to denial of service attacks. The vulnerability exists due to an incorrect boundary check in "openpgpkey_61.c" which can cause named to terminate due to a REQUIRE assertion failure, resulting in denial of service to clients.


DNSSEC key parsing vulnerability

09/03/15
CVE 2015-5722
ISC BIND versions 9.0.0 through 9.8.8, 9.9.0 through 9.9.7-P2, and 9.10.0 through 9.10.2-P3 are prone to a denial of service attacks. The vulnerability exists due to a flaw in the way the application parse a malformed DNSSEC key. The vulnerability may cause BIND to exit due to a failed assertion in "buffer.c"


TKEY error handling vulnerability

07/29/15
CVE 2015-5477
ISC BIND versions 9 through 9.9.7-P1 and 9.10.0 through 9.10.2-P2 are prone to a denial of service attacks. The vulnerability exists due to a flaw in the way the application handles queries for TKEY records. A remote attacker could use this flaw to trigger a REQUIRE assertion failure, causing BIND to exit unexpectedly.


Recursive Resolver performing DNSSEC validation vulnerability

07/07/15
CVE 2015-4620
ISC BIND versions 9.7.1 through 9.9.7 before 9.9.7-P1 and 9.10.0 through 9.10.2-P1 are prone to a vulnerability, which can cause a Resolver to crash when validating a specially constructed zone data. This means that a recursive resolver that is performing DNSSEC validation can be deliberately stopped by an attacker who can cause the resolver to perform a query against a maliciously-constructed zone.


Trust Anchor Management Vulnerability

02/20/15
CVE 2015-1349
ISC BIND versions 9.7.0 through 9.9.6 before 9.9.6-P2 and 9.10.x before 9.10.1-P2 are prone to a vulnerability, which can be exploited by a remote attacker to cause the named service to crash. When BIND servers are configured to perform DNSSEC validation and are using managed-keys, the vulnerability is triggered when handling a certain set of conditions in managed trust anchors.


ISC BIND GeoIP features can cause BIND to crash

12/11/14
CVE 2014-8680
ISC BIND versions 9.10.0 to 9.10.1 are prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability exists due to an unspecified flaws in the GeoIP feature.


ISC BIND Delegation Handling Vulnerability

12/11/14
CVE 2014-8500
ISC BIND versions before 9.9.6-P1 and before 9.10.1-P1 are prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability exists due to a flaw in the Domain Name Service when handling a maliciously-constructed zone or queries from a rogue server.


ISC BIND named EDNS Option Vulnerability

06/17/14
CVE 2014-3859
ISC BIND versions before 9.10.0-P2 are prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability exists due to an error in the EDNS option processing. The vulnerability can be exploited to cause named to terminate with an assertion failure when handling a specially crafted query.


Recursive Nameservers Prefetch Failed Assertion Denial of Service Vulnerability

05/12/14
CVE 2014-3214
ISC BIND versions before 9.10.0-P1 are prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability exists due to an error in the prefetch feature when processing certain queries. The vulnerability can be exploited to trigger an assertion failure and could cause a crash when recursive nameserver is enabled.


NSEC3-Signed Zones Queries Handling Denial of Service Vulnerability

01/17/14
CVE 2014-0591
ISC BIND versions before 9.9.4-P2, 9.8.6-P2, and 9.6-ESV-R10-P2 are prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability exists due to an error when handling queries for NSEC3-signed zones. The vulnerability can be exploited to cause a crash with an "INSIST" failure by sending a specially crafted query.

Note: Successful exploitation requires an authoritative nameservers serving at least one NSEC3-signed zone.


"localnets" Access Control List Vulnerability

11/12/13
CVE 2013-6230
ISC BIND versions before 9.9.4-P1, 9.8.6-P1, and 9.6-ESV-R10-P1 are prone to a vulnerability, which can be exploited to bypass certain security restrictions. The vulnerability exists because of insecure handling in the Winsock WASIoctl API. The vulnerability can be exploited to bypass ACLs and gain access to the features accessible to the "localnets" ACL.


RDATA Handling Assertion Failure Denial of Service Vulnerability

08/02/13
CVE 2013-4854
ISC BIND versions 9.8.0 through 9.8.5-P1 and versions 9.9.0 through 9.9.3-P1 are prone to a vulnerability, which can be exploited to cause a DoS (Denial of Service). The vulnerability is caused due to an error when parsing RDATA within a DNS query and can be exploited to crash the server via a specially crafted query.


Recursive Query Handling Denial of Service Vulnerability

06/13/13
CVE 2013-3919
ISC BIND versions 9.6-ESV-R9, 9.8.5, 9.9.3, and prior are prone to a vulnerability, which can be exploited to cause a DoS (Denial of Service). The vulnerability is caused due to an error when handling recursive query for zones. The vulnerability can be exploited to cause a crash.


Regular Expression Handling Denial of Service Vulnerability

03/28/13
CVE 2013-2266
ISC BIND before 9.8.4-P2 and 9.9.2-P2 is prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error when handling regular expressions. This can be exploited to exhaust memory resources and render the server unusable.


AAAA Record Lookup Handling Assertion Failure Vulnerability

01/28/13
CVE 2012-5689
ISC BIND versions 9.8.0 through 9.8.4-P1 and 9.9.0 through 9.9.2-P1 are prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when remapping A records into AAAA records while handling AAAA record lookups for an A record rewrite rule in a Response Policy Zone (RPZ). This can be exploited to trigger an assertion failure and terminate the named process.

Successful exploitation requires configurations involving DNS64 with a Response Policy Zone that lacks an AAAA rewrite rule.


DNS64 REQUIRE Assertion Failure Denial of Service Vulnerability

12/10/12
CVE 2012-5688
ISC BIND versions 9.8.0 through 9.8.4 and 9.9.0 through 9.9.2 are prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the DNS64 IPv6 transition mechanism when handling certain queries, which can be exploited to trigger a REQUIRE assertion and crash the server via a specially crafted DNS query.


Record Handling Lockup Vulnerability

10/12/12
CVE 2012-5166
ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before 9.9.1-P4, and 9.6-ESV before 9.6-ESV-R7-P4 is prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when handling queries for certain records and can be exploited to cause the named process to lockup.


Resource Record Denial of Service Vulnerability

09/18/12
CVE 2012-4244
ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 is prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an assertion error when processing resource records having RDATA greater than 65535 bytes. This can be exploited to e.g. crash a recursive server via a query that requests a record from an authoritative server.


Bad Cache Assertion Failure and TCP Query Denial of Service Vulnerabilities

07/30/12
CVE 2012-3817 CVE 2012-3868
ISC BIND before 9.9.1-P2, 9.8.3-P2, 9.7.6-P2, or 9.6-ESV-R7-P2 is prone to two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service).


Handling of DNS Resource Record Vulnerability

06/07/12
CVE 2012-1667
ISC BIND before 9.6-ESV-R7-P1, 9.7.6-P1, 9.8.3-P1, or 9.9.1-P1 is prone to a vulnerability, which can be exploited by malicious people to cause a crash, restart or disclose some portion of memory to the client. The vulnerability is caused due to an error when handling DNS resource records containing zero length rdata.


Deleted Domain Name Resolving Vulnerability

02/15/12
CVE 2012-1033
ISC BIND 9.x is prone to a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error within the cache update policy, which does not properly handle revoked domain names. This can be exploited to keep the domain name resolvable after being deleted from registration.


BIND 9 Resolver crash

11/25/11
CVE 2011-4313
BIND 9 is affected by a denial-of-service vulnerability, in which queries for a certain type of invalid cached record crashes the DNS resolver service after logging an error. BIND 9.0 to 9.6, 9.4-ESV through 9.4-ESV-R5, 9.6-ESV through 9.6-ESV-R5, 9.7.0 to 9.7.4, 9.8.0, 9.8.1, and 9.9.0a1 to 9.9.0b1 are affected by this vulnerability.


Multiple Denial of Service Vulnerabilities fixed in 9.8.0-P4

07/12/11
CVE 2011-2464
CVE 2011-2465
ISC BIND before 9.8.0-P4 is prone to multiple Denial of Service vulnerabilities:


Negative Caching RRSIG RRsets Denial of Service Vulnerability

06/01/11
CVE 2011-1910
ISC BIND before 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 or 9.8.0-P2 is prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an assertion error within the processing of negative responses containing large RRSIG RRsets.


Response Policy Zones RRSIG Query Assertion Failure Denial of Service Vulnerability

05/16/11
CVE 2011-1907
BIND 9.8.0 is prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an assertion failure when processing RRSIG queries if the Response Policy Zones mechanism is used for RRset replacement, which can be exploited to terminate the server via RRSIG queries.


IXFR or DDNS Update Deadlock Denial of Service Vulnerability

03/09/11
CVE 2011-0414
ISC BIND 9.7.1 through 9.7.2-P3, when configured as an authoritative server, allows remote attackers to cause a denial of service by sending a query at the time of (1) an IXFR transfer or (2) a DDNS update.


DNSSEC Validation Remote Denial of Service Vulnerability

01/05/11
CVE 2010-3762
ISC BIND before 9.7.2-P2 is prone to a remote denial-of-service vulnerability because the software fails to handle certain bad signatures in a DNS query. An attacker can exploit this issue to cause the application to crash, denying service to legitimate users.


Multiple vulnerabilities fixed in BIND 9.7.2-P3

12/17/10
CVE 2010-3613
CVE 2010-3614
CVE 2010-3615
BIND versions prior to 9.4-ESV-R4, 9.6.2-P3, 9.6-ESV-R3, and 9.7.2-P3 are affected by three vulnerabilities:


Denial Of Service and Security Bypass Vulnerability

10/13/10
CVE 2010-0218
ISC BIND before 9.7.2-P2 is prone to a security-bypass vulnerability and a denial-of-service vulnerability. Successfully exploiting these issues allows remote attackers to crash affected DNS servers, denying further service to legitimate users, and to bypass certain security restrictions and perform unauthorized actions.


RRSIG Record Type Remote Denial of Service Vulnerability

08/03/10
CVE 2010-0213
ISC BIND before 9.7.1-P2 is prone to a remote denial-of-service vulnerability because the software fails to handle certain record types. An attacker can exploit this issue to cause the application to fall into an infinite loop, denying service to legitimate users.


BIND 9 DNSSEC Bogus NXDOMAIN Response Remote Cache Poisoning Vulnerability

02/03/10
CVE 2010-0097
ISC BIND 9 is prone to a remote cache-poisoning vulnerability. An attacker may leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, site-impersonation, or denial-of-service attacks.


BIND 9 DNSSEC Query Response Additional Section Remote Cache Poisoning Vulnerability

12/16/09
CVE 2009-4022
ISC BIND 9 is prone to a remote cache-poisoning vulnerability. An attacker may leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, site-impersonation, or denial-of-service attacks.


BIND 9 Dynamic Update Request Denial of Service

08/05/09
CVE 2009-0696
There is a denial of service vulnerability in ISC BIND 9. This vulnerability is due to an error when ISC BIND 9 handles dynamic update messages. An unprivileged remote attacker can exploit this flaw by sending malicious dynamic update requests to a target DNS server. Successful exploitation would cause a denial of service condition.


BIND client spoofing vulnerability

07/09/08
CVE 2008-1447
The DNS protocol in BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1 allow remote attackers to spoof DNS traffic via cache poisoning techniques. These techniques are caused by insufficient randomness of DNS transaction IDs and source ports.


BIND inet_network() Off-by-One Buffer Overflow

02/05/08
CVE 2008-0122
Multiple applications that use the libbind BIND library are vulnerable to an off-by-one buffer overflow attack by remote unauthenticated users. This vulnerability is a result of the inet_network() function not properly sanitizing user input before copying it to another undersized memory buffer. Successfully exploiting this vulnerability may allow attackers to execute arbitrary code in the context of the application. Unsuccessful attacks may cause the applications to crash, thereby causing denial of services. BIND versions 9.5.x prior to 9.5.0b2, 9.4.x prior to 9.4.3, and prior to 9.3.5 are vulnerable.


Fedora Core 8 and RHE5 local denial of service

12/25/07
CVE 2007-6283
Fedora Core 8 and Red Hat Enterprise 5 under certain conditions has the /etc/rndc.conf file accessible to all users allowing for local users to stop named, change the logging level, request configuration or zone file reload and disable updates of dynamic zones.


Cryptographically weak DNS query identifiers in BIND version 8

08/30/07
CVE 2007-2930
Version 8.2 through 8.4.7 (unpatched) of the BIND software uses a weak algorithm to generate DNS query identifiers. This condition allows an attacker to reliably guess the next query ID, thereby allowing for DNS cache poisoning attacks.


allow-query-cache/allow-recursion default ACL weakness

07/27/07
CVE 2007-2925
The default access control lists (ACLs) are not correctly set in BIND 9.4.0, 9.4.1, and 9.5.0a1 through 9.5.0a5, allowing remote attackers to make recursive queries or query the cache contents.


DNS Query ID Cryptographic Weakness

07/27/07
CVE 2007-2926
A cryptographic weakness in the generation of DNS query IDs could expose the DNS server to a cache poisoning attack. This bug only affects outgoing queries, generated by BIND 9 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFYs to slave name servers. BIND 9.2 through 9.2.8, 9.3 through 9.3.4, 9.4 through 9.4.1, and 9.5.0a1 through 9.5.0a5 are affected by this vulnerability.


query_addsoa Denial of Service

05/02/07
CVE 2007-2241
BIND version 9.4.0 and 9.5.0a1-9.5.0a3 have a vulnerability leading to denial of service. The vulnerability is caused by an assertion failure in the query_addsoa function while handling DNS messages. Remote attackers can exploit this vulnerability by sending a specially crafted sequence of queries and cause a denial of service condition in the DNS server.


Remote Fetch Context Denial of Service

02/02/07
CVE 2007-0493
Under certain circumstances the named application can be caused to access a fetch context in an area of memory that has already been freed, resulting in named exiting unintentionally. p BIND versions 9.3.0-9.3.3, 9.4.0a1-9.4.0a6, 9.4.0b1, and 9.5.0a1 are vulnerable.


Remote DNSSEC Validation Denial of Service

02/02/07
CVE 2007-0494
When recursion and DNSSEC validation have been enabled on a DNS server, BIND may be vulnerable to a denial of service attack. In situations where a recursive/DNSSEC-enabled server requests ANY record type for the domain, and the authoritative server returns multiple signed records, a failure in the DNSSEC validation of these records may cause the named process of the requesting server to exit unintentionally. BIND versions 9.0.x, 9.1.x, 9.2.0-9.2.7, 9.3.0-9.3.3, 9.4.0a1-9.4.0a6, 9.4.0b1-9.4.0b4, 9.4.0rc1, and 9.5.0a1 are vulnerable if configured to enable recursion and DNSSEC validation.


RSA key with exponent 3 forgery

12/04/06
CVE 2006-4339
Some Linux versions of BIND prior to 9.3.1 are affected by a vulnerability in the DNSSEC implementation. This is caused by a vulnerability in OpenSSL that when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash. This allows remote attackers to forge a PKCS #1 v1.5 signature.


SIG denial of service

09/09/06
CVE 2006-4095
CVE 2006-4096
ISC BIND versions prior to 9.2.6 Patch 1 and 9.3.0 through 9.3.2 Patch 1 are vulnerable to two denial of service vulnerabilities. One is caused by crafted malformed SIG queries, the other by a flood of recursive queries which cause an INSIST failure.


TSIG denial of service

05/08/06
CVE 2006-2073
ISC BIND version 9.3.2 is vulnerable to a denial of service vulnerability caused by a broken TSIG in the second or later message of a zone transfer. However, since a correct TSIG is required in the first message, ISC has decided to fix this vulnerability in a later scheduled BIND release. Previous releases are also vulnerable.


q_usedns Array Buffer Overflow

01/27/05
CVE 2005-0033
There is a buffer overflow in the array which is used to track name servers and addresses which have been queried. This could allow a remote attacker to crash named if recursion or glue-fetching is enabled. BIND 8.4.4 and 8.4.5 are affected by this vulnerability.


BIND REQUIRE Test Failure

01/27/05
CVE 2005-0034
A flaw in the authvalidated function can cause an internal consistency test to fail, causing named to exit. This could allow a remote attacker to cause a denial of service if the DNSSEC option is enabled. Only BIND 9.3.0 is affected by this vulnerability.


Cached SIG Resource Record Buffer Overflow

11/12/02
CVE 2002-1219
A flaw in the formation of DNS responses containing cached SIG resource records could allow a remote attacker to execute commands on the server. In order for this vulnerability to be exploited, the attacker must be able to cause the victim server to cache DNS information, which requires the attacker to have control of an authoritative DNS server and the victim server to have recursion enabled. BIND versions 4.9.5 through 4.9.10, 8.1, 8.2 through 8.2.6, and 8.3.0 through 8.3.3 are affected by this vulnerability. BIND 9 is not affected.


Large OPT Payload Denial of Service

11/12/02
CVE 2002-1220
By requesting a DNS lookup on a nonexistent sub-domain of a valid domain and attaching an OPT resource record with a large UDP payload, a remote attacker could cause recursive BIND servers to crash. BIND 8.3.0 through 8.3.3 are affected by this vulnerability.


Invalid SIG Expiry Time Denial of Service

11/12/02
CVE 2002-1221
By creating cached SIG resource records with invalid expiry times which are then deleted from the internal database, an attacker could cause BIND to dereference a null pointer, thus causing BIND to crash. In order to exploit this vulnerability, an attacker would need prior control of an authoritative name server, and BIND would need to have recursion enabled. BIND 8.2 through 8.2.6 and 8.3.0 through 8.3.3 are affected by this vulnerability.


DNS Spoofing Through Multiple Simultaneous Requests

12/03/02
CVE 2002-2211
BIND 4 and BIND 8 allow multiple simultaneous requests. If a client sends many simultaneous resolution requests for the same domain name, BIND will send a query to that domain's name server for each of the simultaneous requests, with a unique identifier for each query. By successfully guessing any one of these identifiers, an attacker could create a fake response which would be accepted by BIND, thus injecting spoofed DNS entries into the cache. An attacker could increase his or her odds of a successful attack by increasing the number of simultaneous requests.

DNS spoofing could allow an attacker to launch various types of attacks on other hosts which rely on the vulnerable DNS server, such as impersonation of legitimate web servers, and unauthorized access by exploitation of hostname-based trust relationships.

BIND 4 through 4.9.11, 8.0 through 8.2.7, and 8.3 through 8.3.4 are affected by this vulnerability.


Buffer Overflow in Transaction Signature code

CVE 2001-0010

BIND 8.2 through BIND 8.2.2 (all patch levels) send the program to an error handling routine when an invalid transaction signature is detected. This error handling procedure initializes variables differently from the normal procedure, such that when a valid signature is then processed a buffer overflow condition is created. This condition along with other buffer overflow exploitation techniques could allow an attacker to gain unauthorized access to the system.

Note: 8.2.3 beta versions are also vulnerable.


Buffer Overflow in nslookupComplain

CVE 2001-0011
CVE 2001-0013

BIND 4.9 through BIND 4.9.7 use a fixed-length buffer to build error messages to send to syslog. An attacker could overflow this buffer by sending a specially crafted DNS query, allowing arbitrary code to be executed.


Information Leak

CVE 2001-0012

By sending a specially crafted DNS query to the server, a remote attacker could access the program stack, thus gaining knowledge of program variables. BIND 4 through BIND 4.9.7 and BIND 8 through BIND 8.2.2 (all patch levels) are affected by this vulnerability.


Improper Handling of NXT Records

CVE 1999-0833

BIND 8.2 and BIND 8.2.1 fail to properly validate NXT records. An attacker could exploit this problem and gain access to the name server by causing a buffer to overflow. BIND 4.9 and BIND 8 prior to BIND 8.2 are not vulnerable to this problem but have other problems (see below).


Cache Poisoning

CVE 1999-0024

Cache poisoning occurs when malicious or misleading data received from a remote name server is saved (cached) by another name server. This "bad" data is then made available to programs that request the cached data through the client interface. Cache poisoning is being used to adversely affect the mapping between host names and IP addresses. Once this mapping has been changed, any information sent between hosts on a network may be subjected to inspection, capture, or corruption.


Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases

CVE 1999-0009

BIND 4.9 releases prior to BIND 4.97 and BIND 8 releases prior to BIND 8.1.2 do not properly bound check a memory copy when responding to an inverse query request. An improperly or maliciously formatted inverse query on a TCP stream might allow a remote intruder to gain root level access on a name server or disrupt the normal operations of the name server.

The inverse query feature is disabled by default, so only systems that have been explicitly configured to allow it are vulnerable. To determine if a system is vulnerable:


Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases

CVE 1999-0010
CVE 1999-0011
CVE 1999-0835
CVE 1999-0837
CVE 1999-0848
CVE 1999-0849
CVE 1999-0851
CVE 2000-0887
CVE 2000-0888

BIND 8 releases prior to BIND 8.2.2-P7 and all BIND 4.9 releases have a variety of problems which could allow an improperly or maliciously formatted DNS message to crash the server or yield garbage record data. Many DNS utilities that process DNS messages (e.g., dig, nslookup) also fail to do proper bounds checking. Any system running BIND 4.9 or BIND 8 prior to BIND 8.2.2-P7 is vulnerable.


Denial-of-Service Vulnerability in BIND 8 Releases

CVE 1999-0011

Assume that the following self-referential resource record is in the cache on a name server:

	foo.example.	IN	A	CNAME	foo.example.
The actual domain name used does not matter; the important thing is that the target of the CNAME is the same name. The record could be in the cache either because the server was authoritative for it or because the server is recursive and someone asked for it. Once this record is in the cache, issuing a zone transfer request using its name (e.g., "dig @my_nameserver foo.example. axfr") will cause the server to abort(). Most sites will not contain such a record in their configuration files. However, it is possible for an attacker to engineer such a record into the cache of a vulnerable nameserver and thus cause a denial of service.

If the BIND 8 server is not recursive and does not fetch glue, then the problem may be exploited only if the self-referential resource record is in a zone for which the server is authoritative. If the global zone transfer ACL in the options block has been set to deny access and has no self-referential CNAMEs in its authoritative zones, then the server is not vulnerable. Otherwise, the server is probably vulnerable to this hack. The nameserver is recursive by default, fetches glue by default and the default global transfer ACL allows all hosts; so many BIND 8 servers will be vulnerable to this problem.


Denial of Service in BIND 9

06/05/02
CVE 2002-0400
BIND 9 versions prior to BIND 9.2.1 have a vulnerability that allows remote attackers to shut down BIND servers. An attacker can cause the shutdown by sending a specific DNS packet designed to create an improperly-handled error condition. Because the error condition is correctly detected but is not handled properly, this vulnerability will not allow an intruder to execute arbitrary code or write data to arbitrary locations in memory. The error condition that triggers the shutdown occurs when the rdataset parameter to the dns_message_findtype() function in message.c is not NULL as expected. The condition causes the code to assert an error message and call abort() to shutdown the BIND server.

For more information about this vulnerability, see CERT Advisory 2002-15.

Resolution

Check for package updates from the vendor.

Upgrade BIND to 9.9.10-P2 for 9.9.x, 9.10.5-P2 for 9.10.x, or 9.11.1-P2 for 9.11.x.

Please Note: BIND 9.6-ESV, BIND 9.7, and BIND 9.8 have been officially designated "end of life" (EOL) and no longer receive support.

For the REQUIRE assertion failure in rdataset.c, upgrade BIND 9 Supported Preview Edition to 9.9.8-S5 or apply the patch.

As a workaround for RDATA handling assertion failure denial of service vulnerability, ensure that the RPZ contains a AAAA rewrite rule for every A rewrite rule.

The latest version of BIND is available from the Internet Software Consortium.

To fix the allow-query-cache/allow-recursion default ACL weakness, explicitly set the allow-query-cache and allow-recursion ACLs as instructed by ISC.

Where can I read more about this?

The BIND fixed two vulnerabilities in TSIG authentication were posted to CVE-2017-3142 and CVE-2017-3143.

The BIND installer on Windows vulnerability was posted to CVE-2017-3141.

The Response Policy Zones (RPZ) denial of service was posted to CVE-2017-3140.

The BIND DNSSEC assertion failure was posted to RHSA-2017-1202.

The DNS64 assertion failure was reported in KB article AA-01465.

The CNAME and DNAME ordering denial of service was reported in KB article AA-01466.

The control channel null command string vulnerability was reported in KB article AA-01471.

The some configurations in BIND can lead the target to crush were posted in Article AA-01453.

The multiple vulnerabilities fixed in 9.9.9-P5, 9.10.4-P5, and 9.11.0-P2 were reported in Article AA-01439, Article AA-01440, Article AA-01441, and Article AA-01442.

The Assertion Failure in db.c or resolver.c denial of service vulnerability was reported in Article AA-01434.

The Malformed options can trigger an assertion failure in ISC Bind was reported in Article AA-01433.

The Assertion Failure in buffer.c While Building Responses to a Specifically Constructed Request was reported in Article AA-01419.

A query name which is too long can cause a segmentation fault in lwresd was reported in Article AA-01393.

The malicious primary DNS servers can crash secondaries was reported in CVE-2016-6170.

Servers with DNS cookie support enabled vulnerability was reported in Article AA-01351.

The two denial of service vulnerabilities fixed in ISC BIND were reported in Article AA-01352 and Article AA-01353.

The REQUIRE assertion failure in rdataset.c was reported in Article AA-01348.

The two denial of service vulnerabilities were reported in Article AA-01335 and Article AA-01336.

The race condition vulnerability when handling socket errors was reported in Article AA-01319.

The assertion failure in db.c was reported in Article AA-01317.

The REQUIRE assertion failure vulnerability was reported in Article AA-01291.

The DNSSEC key parsing vulnerability was reported in Article AA-01287.

The TKEY error handling vulnerability was reported in Article AA-01272.

The Recursive Resolver performing DNSSEC validation vulnerability was reported in Article AA-01267.

The Trust Anchor Management Vulnerability was reported in Article AA-01235.

The ISC BIND GeoIP features can cause BIND to crash was reported in Article AA-01217.

The ISC BIND delegation handling vulnerability was reported in Article AA-01216.

The ISC BIND named EDNS option vulnerability was reported in Article AA-01166.

The recursive nameservers prefetch failed assertion denial of service vulnerability was reported in BIND-9.10.0-P1.

The NSEC3-Signed zones queries handling denial of service vulnerability was reported in Secunia Advisory SA56427 and Secunia Advisory SA56442.

The "localnets" Access Control List vulnerability was reported in Secunia Advisory SA55607.

The RDATA Handling Assertion Failure Denial of Service vulnerability was reported in Secunia Advisory SA54195.

The Recursive Query Handling Denial of Service vulnerability was reported in Secunia Advisory SA53709.

The Regular Expression Handling Denial of Service vulnerability was reported in Secunia Advisory SA52782.

The AAAA Record Lookup Handling Assertion Failure vulnerability was reported in Secunia Advisory SA51969.

The DNS64 REQUIRE Assertion Failure Denial of Service vulnerability was reported in Secunia Advisory SA51484.

The Record Handling Lockup vulnerability was reported in Secunia Advisory SA50878.

The Resource Record Denial of Service vulnerability was reported in Secunia Advisory SA50610.

The Bad Cache Assertion Failure and TCP Query Denial of Service vulnerabilities were reported in Secunia Advisory SA50020.

The handling of DNS resource record vulnerability was reported in Secunia Advisory SA49338.

The Deleted Domain Name Resolving vulnerability was reported in Secunia Advisory SA47884.

The BIND 9 Resolver crash was reported in an ISC Advisory.

The Multiple Denial of Service Vulnerabilities fixed in 9.8.0-P4 were reported in Secunia Advisory SA45185.

The Negative Caching RRSIG RRsets Denial of Service vulnerability was reported in Secunia Advisory SA44719.

The Response Policy Zones RRSIG Query Assertion Failure Denial of Service vulnerability was reported in Secunia Advisory SA44416.

The IXFR or DDNS Update Deadlock Denial of Service vulnerability was reported in Secunia Advisory SA43443.

The DNSSEC Validation Remote Denial of Service vulnerability was reported in Bugtraq ID 45385.

The three vulnerabilities fixed in BIND 9.7.2-P3 were reported in ISC Advisories 2010-3613, 2010-3614, and 2010-3615.

The Denial Of Service and Security Bypass vulnerability was reported in Bugtraq ID 43573.

The RRSIG Record Type Remote Denial of Service vulnerability was reported in Bugtraq ID 41730.

The BIND 9 DNSSEC Bogus NXDOMAIN Response Remote Cache Poisoning vulnerability was reported in Bugtraq ID 37865.

The BIND 9 DNSSEC Query Response Additional Section Remote Cache Poisoning vulnerability was reported in Bugtraq ID 37118.

The BIND 9 OpenSSL DSA certificate validation bypass was reported in OpenSSL Security Advisory 2009-01-07.

The BIND 9 Dynamic Update Request Denial of Service vulnerability was reported in Bugtraq ID 35848.

Details on the vulnerabilities described above can be found on the BIND Vulnerabilities page, VulnWatch, CIRC Bulletins P-113, P-114, and R-333, CERT Advisories 1997-22, 1998-05, 1999-14, 2000-20, 2001-02, 2002-15, and 2002-31, Bugtraq ID 17692, Secunia Advisory SA21752, SUSE-SR:2006:026, Secunia Advisory SA25070, Secunia Advisory SA28180, and Secunia Advisory SA28579, and Secunia Advisory SA30973.

For general information on securing DNS servers, see CERT's document, Securing an Internet Name Server.