Vulnerability identifier: #VU3848

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-8000

CWE-ID: CWE-617

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ISC BIND
Server applications / DNS servers

Vendor: ISC

Description
A remote attacker can trigger denial of service (DoS) conditions.

The vulnerability exists due to a parsing error when processing incoming responses within db.c file. A remote attacker who can cause a server to request a record with a malformed class attribute can use this bug to trigger a REQUIRE assertion, causing named to exit and denying service to clients.

Successful exploitation of this vulnerability may allow an attacker to perform a denial of service (DoS) attack.

Mitigation
Update to version 9.9.8-P2, 9.10.3-P2 or 9.9.8-S3.

Vulnerable software versions

ISC BIND: 9.0.0 - 9.10.3-P1

---

External links
http://kb.isc.org/article/AA-01317

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.