#VU33826 Input validation error in ISC BIND


Published: 2015-07-08 | Updated: 2020-08-04

Vulnerability identifier: #VU33826

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-4620

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ISC BIND
Server applications / DNS servers

Vendor: ISC

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.

Mitigation
Install update from vendor's website.

Vulnerable software versions

ISC BIND: 9.7.0 - 9.7.7b1

External links
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162040.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162286.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00013.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00050.html
http://lists.opensuse.org/opensuse-updates/2015-07/msg00038.html
http://marc.info/?l=bugtraq&m=143740940810833&w=2
http://rhn.redhat.com/errata/RHSA-2015-1443.html
http://rhn.redhat.com/errata/RHSA-2015-1471.html
http://www.debian.org/security/2015/dsa-3304
http://www.securityfocus.com/bid/75588
http://www.securitytracker.com/id/1032799
http://www.ubuntu.com/usn/USN-2669-1
http://kb.isc.org/article/AA-01267
http://kb.isc.org/article/AA-01305
http://kb.isc.org/article/AA-01306
http://kb.isc.org/article/AA-01307
http://kb.isc.org/article/AA-01438
http://kb.juniper.net/JSA10783
http://kc.mcafee.com/corporate/index?page=content&id=SB10124
http://security.gentoo.org/glsa/201510-01
http://security.netapp.com/advisory/ntap-20190903-0003/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for BIND
Input validation error in bind (Alpine package)
Amazon Linux AMI update for bind
Input validation error in ISC BIND
SUSE Linux update for bind
Slackware Linux update for bind