#VU164 Denial of service in ISC BIND - CVE-2016-2775
Published: July 19, 2016 / Updated: August 29, 2017
Vulnerability identifier: #VU164
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-2775
CWE-ID: CWE-119
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
ISC BIND
ISC BIND
Software vendor:
ISC
ISC
Description
The vulnerability allows a remote attacker to cause the target service to crash.
The vulnerability exists due to boundary error in BIND. A remote unauthenticated attacker can cause the target BIND server to crash by sending a specially crafted request with a query name and a search list entry that exceeds the maximum allowable length.
Systems using the lightweight resolution protocol via either the 'lwresd' utility or via named using the "lwres" statement in 'named.conf' are affected.
Successful exploitation of this vulnerability may result in denial of service.
The vulnerability exists due to boundary error in BIND. A remote unauthenticated attacker can cause the target BIND server to crash by sending a specially crafted request with a query name and a search list entry that exceeds the maximum allowable length.
Systems using the lightweight resolution protocol via either the 'lwresd' utility or via named using the "lwres" statement in 'named.conf' are affected.
Successful exploitation of this vulnerability may result in denial of service.
Remediation
The vendor has issued a fix (9.9.9-P2, 9.10.4-P2).