#VU13326 Information disclosure in ISC BIND
Vulnerability identifier: #VU13326
Vulnerability risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
ISC BIND
Server applications /
DNS servers
Vendor: ISC
Description
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to improper access controls. When configured with "recursion yes;" and match list values are not provided for "allow-query-cache" or "allow-query", the "allow-recursion" setting may permit all hosts to perform recursion. A remote attacker can bypass intended recursion access controls, make a recursive query to a BIND nameserver in certain cases and examine the results of queries answered from the cache to determine which queries a server has previously responded to.
Mitigation
Install updates from vendor's website.
The vendor has described the following workarounds in the advisory:
If an operator has not chosen to specify some other permission, explicitly specifying "allow-query {localnets; localhost;};" in named.conf will provide behavior equivalent to the intended default.
If the default setting is not appropriate (because the operator wants a different behavior) then depending on which clients are intended to be able to receive service for recursive queries, explicitly setting a match list value for any of:
will prevent the "allow-recursion" control from improperly inheriting a setting from the allow-query default. If a value is set for any of those values the behavior of allow-recursion will be set directly or inherited from one of the other values as described in the BIND Adminstrator Reference Manual section 6.2
- allow-recursion
- allow-query
- allow-query-cache
Servers which are not intended to perform recursion at all may also effectively prevent this condition by setting "recursion no;" in named.conf
Vulnerable software versions
ISC BIND: 9.9.12 - 9.13.0
External links
http://kb.isc.org/article/AA-01616
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
