SB2016111110 - Fedora 24 update for bind99

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2016111110

SB2016111110 - Fedora 24 update for bind99

Published: November 11, 2016 Updated: April 24, 2025

Security Bulletin ID SB2016111110
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) AXFR/IXFR response processing flaw in BIND (CVE-ID: CVE-2016-6170)

CWE-ID: CWE-233 - Improper Handling of Parameters

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause the target service to crash.

The vulnerability exists due to resource error in BIND. A remote primary DNS server can cause the target secondary DNS server to crash by sending a specially crafted AXFR response or IXFR response. A remote unauthenticated attacker may be able to send a specially crafted UPDATE message to cause the target server to crash.

Successful exploitation of this vulnerability may result in denial of service.


2) Denial of service (CVE-ID: CVE-2016-8864)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote unauthenticated user to cause DoS conditions on the target system.
The weakness is due to imptoper input validation. By returning a recursive response containing a specially crafted DNAME answer, a remote attacker can trigger a flaw in 'db.c' or 'resolver.c' and cause the target resolver to crash.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Remediation

Install update from vendor's website.

References