7.8 - DSA-3094

Executive Summary

Summary
Title	bind9 security update

Informations
Name	DSA-3094	First vendor Publication	2014-12-08
Vendor	Debian	Last vendor Modification	2014-12-08
Severity (Vendor)	N/A	Revision	1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Cvss Base Score	7.8	Attack Range	Network
Cvss Impact Score	6.9	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

It was discovered that BIND, a DNS server, is prone to a denial of service vulnerability. By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND 9 uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation. This can lead to resource exhaustion and denial of service (up to and including termination of the named server process.)

For the stable distribution (wheezy), this problem has been fixed in version 1:9.8.4.dfsg.P1-6+nmu2+deb7u3.

For the upcoming stable distribution (jessie), this problem will be fixed soon.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your bind9 packages.

Original Source

Url : http://www.debian.org/security/2014/dsa-3094

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-399	Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:27828

Oval ID:	oval:org.mitre.oval:def:27828
Title:	USN-2437-1 -- Bind vulnerability
Description:	Florian Maury discovered that Bind incorrectly handled delegation. A remote attacker could possibly use this issue to cause Bind to consume resources and crash, resulting in a denial of service.
Family:	unix	Class:	patch
Reference(s):	USN-2437-1 CVE-2014-8500	Version:	3
Platform(s):	Ubuntu 14.10 Ubuntu 14.04 Ubuntu 12.04 Ubuntu 10.04	Product(s):	bind9
Definition Synopsis:
Ubuntu 14.10 release section Ubuntu 14.10 is installed AND bind9 is earlier than 1:9.9.5.dfsg-4.3ubuntu0.1 AND Ubuntu 14.04 release section Ubuntu 14.04 is installed AND bind9 is earlier than 1:9.9.5.dfsg-3ubuntu0.1 AND Ubuntu 12.04 release section Ubuntu 12.04 is installed AND bind9 is earlier than 1:9.8.1.dfsg.P1-4ubuntu0.9 AND Ubuntu 10.04 release section Ubuntu 10.04 is installed AND bind9 is earlier than 1:9.7.0.dfsg.P1-1ubuntu0.12

Definition Id: oval:org.mitre.oval:def:28079

Oval ID:	oval:org.mitre.oval:def:28079
Title:	ELSA-2014-1985 -- bind97 security update (important)
Description:	[32:9.7.0-21.P2.1] - Fix CVE-2014-8500 (#1171972)
Family:	unix	Class:	patch
Reference(s):	ELSA-2014-1985 CVE-2014-8500	Version:	4
Platform(s):	Oracle Linux 5	Product(s):	bind97
Definition Synopsis:
Oracle Linux 5.x Packages match section bind97 is earlier than 32:9.7.0-21.P2.el5_11.1 AND bind97-chroot is earlier than 32:9.7.0-21.P2.el5_11.1 AND bind97-devel is earlier than 32:9.7.0-21.P2.el5_11.1 AND bind97-libs is earlier than 32:9.7.0-21.P2.el5_11.1 AND bind97-utils is earlier than 32:9.7.0-21.P2.el5_11.1

Definition Id: oval:org.mitre.oval:def:28292

Oval ID:	oval:org.mitre.oval:def:28292
Title:	DSA-3094-1 -- bind9 security update
Description:	It was discovered that BIND, a DNS server, is prone to a denial of service vulnerability.
Family:	unix	Class:	patch
Reference(s):	DSA-3094-1 CVE-2014-8500	Version:	3
Platform(s):	Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0	Product(s):	bind9
Definition Synopsis:
Debian 7 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND bind9 is earlier than 1:9.8.4.dfsg.P1-6+nmu2+deb7u3

Definition Id: oval:org.mitre.oval:def:28311

Oval ID:	oval:org.mitre.oval:def:28311
Title:	HP-UX Running BIND Remote Denial of Service (DoS)
Description:	ISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.6, and 9.10.0 through 9.10.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory consumption and named crash) via a large or infinite number of referrals.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2014-8500	Version:	7
Platform(s):	HP-UX 11	Product(s):
Definition Synopsis:
HP-UX B.11.31 AND filesets test NameService.BIND-AUX version is less than C.9.7.3.6.0 AND NameService.BIND-RUN version is less than C.9.7.3.6.0

Definition Id: oval:org.mitre.oval:def:28485

Oval ID:	oval:org.mitre.oval:def:28485
Title:	ELSA-2014-1984 -- bind security update (important)
Description:	[32:9.9.4-14.0.1.el7_0.1] - Rebuild to fix libmysqlclient dependency [32:9.9.4-14.1] - Fix CVE-2014-8500 (#1171975)
Family:	unix	Class:	patch
Reference(s):	ELSA-2014-1984 CVE-2014-8500	Version:	4
Platform(s):	Oracle Linux 5 Oracle Linux 6 Oracle Linux 7	Product(s):	bind
Definition Synopsis:
Oracle Linux 5 release section Oracle Linux 5.x Packages match section bind is earlier than 30:9.3.6-25.P1.el5_11.2 AND bind-chroot is earlier than 30:9.3.6-25.P1.el5_11.2 AND bind-devel is earlier than 30:9.3.6-25.P1.el5_11.2 AND bind-libbind-devel is earlier than 30:9.3.6-25.P1.el5_11.2 AND bind-libs is earlier than 30:9.3.6-25.P1.el5_11.2 AND bind-sdb is earlier than 30:9.3.6-25.P1.el5_11.2 AND bind-utils is earlier than 30:9.3.6-25.P1.el5_11.2 AND caching-nameserver is earlier than 30:9.3.6-25.P1.el5_11.2 AND Oracle Linux 6 release section Oracle Linux 6.x Packages match section bind is earlier than 32:9.8.2-0.30.rc1.el6_6.1 AND bind-chroot is earlier than 32:9.8.2-0.30.rc1.el6_6.1 AND bind-devel is earlier than 32:9.8.2-0.30.rc1.el6_6.1 AND bind-libs is earlier than 32:9.8.2-0.30.rc1.el6_6.1 AND bind-sdb is earlier than 32:9.8.2-0.30.rc1.el6_6.1 AND bind-utils is earlier than 32:9.8.2-0.30.rc1.el6_6.1 AND Oracle Linux 7 release section Oracle Linux 7.x Packages match section bind is earlier than 32:9.9.4-14.0.1.el7_0.1 AND bind-chroot is earlier than 32:9.9.4-14.0.1.el7_0.1 AND bind-devel is earlier than 32:9.9.4-14.0.1.el7_0.1 AND bind-libs is earlier than 32:9.9.4-14.0.1.el7_0.1 AND bind-libs-lite is earlier than 32:9.9.4-14.0.1.el7_0.1 AND bind-license is earlier than 32:9.9.4-14.0.1.el7_0.1 AND bind-lite-devel is earlier than 32:9.9.4-14.0.1.el7_0.1 AND bind-sdb is earlier than 32:9.9.4-14.0.1.el7_0.1 AND bind-sdb-chroot is earlier than 32:9.9.4-14.0.1.el7_0.1 AND bind-utils is earlier than 32:9.9.4-14.0.1.el7_0.1

Definition Id: oval:org.mitre.oval:def:28498

Oval ID:	oval:org.mitre.oval:def:28498
Title:	RHSA-2014:1985 -- bind97 security update (Important)
Description:	The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the way BIND followed DNS delegations. A remote attacker could use a specially crafted zone containing a large number of referrals which, when looked up and processed, would cause named to use excessive amounts of memory or crash. (CVE-2014-8500) All bind97 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Family:	unix	Class:	patch
Reference(s):	RHSA-2014:1985 CESA-2014:1985 CVE-2014-8500	Version:	5
Platform(s):	Red Hat Enterprise Linux 5 CentOS Linux 5	Product(s):	bind97
Definition Synopsis:
The operating system installed on the system is Red Hat Enterprise Linux 5 Packages match section bind97 is earlier than 32:9.7.0-21.P2.el5_11.1 AND bind97-chroot is earlier than 32:9.7.0-21.P2.el5_11.1 AND bind97-debuginfo is earlier than 32:9.7.0-21.P2.el5_11.1 AND bind97-devel is earlier than 32:9.7.0-21.P2.el5_11.1 AND bind97-libs is earlier than 32:9.7.0-21.P2.el5_11.1 AND bind97-utils is earlier than 32:9.7.0-21.P2.el5_11.1

Definition Id: oval:org.mitre.oval:def:28588

Oval ID:	oval:org.mitre.oval:def:28588
Title:	RHSA-2014:1984 -- bind security update (Important)
Description:	The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the way BIND followed DNS delegations. A remote attacker could use a specially crafted zone containing a large number of referrals which, when looked up and processed, would cause named to use excessive amounts of memory or crash. (CVE-2014-8500) All bind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Family:	unix	Class:	patch
Reference(s):	RHSA-2014:1984 CESA-2014:1984-CentOS 6 CESA-2014:1984-CentOS 7 CESA-2014:1984-CentOS 5 CVE-2014-8500	Version:	5
Platform(s):	Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 CentOS Linux 6 CentOS Linux 7 CentOS Linux 5	Product(s):	bind
Definition Synopsis:
Red Hat Enterprise Linux 5 release section The operating system installed on the system is Red Hat Enterprise Linux 5 Packages match section bind-chroot is earlier than 30:9.3.6-25.P1.el5_11.2 AND bind-debuginfo is earlier than 30:9.3.6-25.P1.el5_11.2 AND bind-devel is earlier than 30:9.3.6-25.P1.el5_11.2 AND bind-libbind-devel is earlier than 30:9.3.6-25.P1.el5_11.2 AND caching-nameserver is earlier than 30:9.3.6-25.P1.el5_11.2 AND bind is earlier than 30:9.3.6-25.P1.el5_11.2 AND bind-libs is earlier than 30:9.3.6-25.P1.el5_11.2 AND bind-sdb is earlier than 30:9.3.6-25.P1.el5_11.2 AND bind-utils is earlier than 30:9.3.6-25.P1.el5_11.2 AND Red Hat Enterprise Linux 6 and CentOS Linux 6 release section Operation system section The operating system installed on the system is Red Hat Enterprise Linux 6 AND The operating system installed on the system is CentOS Linux 6.x Packages match section bind is earlier than 32:9.8.2-0.30.rc1.el6_6.1 AND bind-chroot is earlier than 32:9.8.2-0.30.rc1.el6_6.1 AND bind-devel is earlier than 32:9.8.2-0.30.rc1.el6_6.1 AND bind-libs is earlier than 32:9.8.2-0.30.rc1.el6_6.1 AND bind-sdb is earlier than 32:9.8.2-0.30.rc1.el6_6.1 AND bind-utils is earlier than 32:9.8.2-0.30.rc1.el6_6.1 AND Red Hat Enterprise Linux 6 release section The operating system installed on the system is Red Hat Enterprise Linux 6 AND bind-debuginfo is earlier than 32:9.8.2-0.30.rc1.el6_6.1 AND Red Hat Enterprise Linux 7 and CentOS Linux 7 release section Operation system section The operating system installed on the system is Red Hat Enterprise Linux 7 AND The operating system installed on the system is CentOS Linux 7.x Packages match section bind is earlier than 32:9.9.4-14.el7_0.1 AND bind-chroot is earlier than 32:9.9.4-14.el7_0.1 AND bind-devel is earlier than 32:9.9.4-14.el7_0.1 AND bind-libs is earlier than 32:9.9.4-14.el7_0.1 AND bind-libs-lite is earlier than 32:9.9.4-14.el7_0.1 AND bind-license is earlier than 32:9.9.4-14.el7_0.1 AND bind-lite-devel is earlier than 32:9.9.4-14.el7_0.1 AND bind-sdb is earlier than 32:9.9.4-14.el7_0.1 AND bind-sdb-chroot is earlier than 32:9.9.4-14.el7_0.1 AND bind-utils is earlier than 32:9.9.4-14.el7_0.1 AND Red Hat Enterprise Linux 7 release section The operating system installed on the system is Red Hat Enterprise Linux 7 AND bind-debuginfo is earlier than 32:9.9.4-14.el7_0.1

CPE : Common Platform Enumeration

Type	Description	Count
Application	Isc Bind cpe:2.3:a:isc:bind:9.9.6:::::::* cpe:2.3:a:isc:bind:9.9.5:::::::* cpe:2.3:a:isc:bind:9.9.4:::::::* cpe:2.3:a:isc:bind:9.9.3:::::::* cpe:2.3:a:isc:bind:9.9.2:::::::* cpe:2.3:a:isc:bind:9.9.1:::::::* cpe:2.3:a:isc:bind:9.9.0:::::::* cpe:2.3:a:isc:bind:9.8.6:::::::* cpe:2.3:a:isc:bind:9.8.5::::-::: cpe:2.3:a:isc:bind:9.8.4::::-::: cpe:2.3:a:isc:bind:9.8.3::::-::: cpe:2.3:a:isc:bind:9.8.2::::-::: cpe:2.3:a:isc:bind:9.8.1::::-::: cpe:2.3:a:isc:bind:9.8.0::::-::: cpe:2.3:a:isc:bind:9.7.7::::-::: cpe:2.3:a:isc:bind:9.7.6::::-::: cpe:2.3:a:isc:bind:9.7.5::::-::: cpe:2.3:a:isc:bind:9.7.4::::-::: cpe:2.3:a:isc:bind:9.7.3::::-::: cpe:2.3:a:isc:bind:9.7.2::::-::: cpe:2.3:a:isc:bind:9.7.1::::-::: cpe:2.3:a:isc:bind:9.7.0::::-::: cpe:2.3:a:isc:bind:9.6.3::::-::: cpe:2.3:a:isc:bind:9.6.2::::-::: cpe:2.3:a:isc:bind:9.6.1::::-::: cpe:2.3:a:isc:bind:9.6.0::::-::: cpe:2.3:a:isc:bind:9.5.3:::::::* cpe:2.3:a:isc:bind:9.5.2::::-::: cpe:2.3:a:isc:bind:9.5.1::::-::: cpe:2.3:a:isc:bind:9.5.0::::-::: cpe:2.3:a:isc:bind:9.5::::-::: cpe:2.3:a:isc:bind:9.4.3::::-::: cpe:2.3:a:isc:bind:9.4.2::::-::: cpe:2.3:a:isc:bind:9.4.1::::-::: cpe:2.3:a:isc:bind:9.4.0::::-::: cpe:2.3:a:isc:bind:9.4::::-::: cpe:2.3:a:isc:bind:9.3.6::::-::: cpe:2.3:a:isc:bind:9.3.5::::-::: cpe:2.3:a:isc:bind:9.3.4::::-::: cpe:2.3:a:isc:bind:9.3.3::::-::: cpe:2.3:a:isc:bind:9.3.2::::-::: cpe:2.3:a:isc:bind:9.3.1::::-::: cpe:2.3:a:isc:bind:9.3.0::::-::: cpe:2.3:a:isc:bind:9.3::::-::: cpe:2.3:a:isc:bind:9.2.9::::-::: cpe:2.3:a:isc:bind:9.2.8::::-::: cpe:2.3:a:isc:bind:9.2.7::::-::: cpe:2.3:a:isc:bind:9.2.6::::-::: cpe:2.3:a:isc:bind:9.2.5::::-::: cpe:2.3:a:isc:bind:9.2.4::::-::: cpe:2.3:a:isc:bind:9.2.3::::-::: cpe:2.3:a:isc:bind:9.2.2::::-::: cpe:2.3:a:isc:bind:9.2.1::::-::: cpe:2.3:a:isc:bind:9.2.0::::-::: cpe:2.3:a:isc:bind:9.2::::-::: cpe:2.3:a:isc:bind:9.10.1:::::::* cpe:2.3:a:isc:bind:9.10.0:::::::* cpe:2.3:a:isc:bind:9.1.3::::-::: cpe:2.3:a:isc:bind:9.1.2::::-::: cpe:2.3:a:isc:bind:9.1.1::::-::: cpe:2.3:a:isc:bind:9.1::::-::: cpe:2.3:a:isc:bind:9.0.1::::-::: cpe:2.3:a:isc:bind:9.0::::-:::	63

Snort® IPS/IDS

Date	Description
2015-03-31	ISC BIND recursive resolver resource consumption denial of service attempt RuleID : 33583 - Revision : 8 - Type : PROTOCOL-DNS

Nessus® Vulnerability Scanner

Date	Description
2017-04-21	Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2017-0066.nasl - Type : ACT_GATHER_INFO
2016-06-22	Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2016-0055.nasl - Type : ACT_GATHER_INFO
2016-01-29	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2016-0078.nasl - Type : ACT_GATHER_INFO
2015-09-22	Name : The remote host is missing a security update for OS X Server. File : macosx_server_5_0_3.nasl - Type : ACT_GATHER_INFO
2015-07-31	Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2015-0105.nasl - Type : ACT_GATHER_INFO
2015-05-20	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0096-1.nasl - Type : ACT_GATHER_INFO
2015-04-22	Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2015-111-01.nasl - Type : ACT_GATHER_INFO
2015-03-30	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-165.nasl - Type : ACT_GATHER_INFO
2015-03-26	Name : The remote Debian host is missing a security update. File : debian_DLA-112.nasl - Type : ACT_GATHER_INFO
2015-03-05	Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL15927.nasl - Type : ACT_GATHER_INFO
2015-02-25	Name : The remote AIX host is missing a security patch. File : aix_IV68997.nasl - Type : ACT_GATHER_INFO
2015-02-25	Name : The remote AIX host is missing a security patch. File : aix_IV68996.nasl - Type : ACT_GATHER_INFO
2015-02-25	Name : The remote AIX host is missing a security patch. File : aix_IV68995.nasl - Type : ACT_GATHER_INFO
2015-02-25	Name : The remote AIX host is missing a security patch. File : aix_IV68994.nasl - Type : ACT_GATHER_INFO
2015-02-25	Name : The remote AIX host is missing a security patch. File : aix_IV68993.nasl - Type : ACT_GATHER_INFO
2015-02-24	Name : The remote name server is affected by multiple vulnerabilities. File : bind9_997_rc2.nasl - Type : ACT_GATHER_INFO
2015-02-24	Name : The remote name server is affected by multiple vulnerabilities. File : bind9_9102_rc2.nasl - Type : ACT_GATHER_INFO
2015-02-09	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201502-03.nasl - Type : ACT_GATHER_INFO
2015-01-09	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2015-465.nasl - Type : ACT_GATHER_INFO
2015-01-06	Name : The remote Fedora host is missing a security update. File : fedora_2014-16576.nasl - Type : ACT_GATHER_INFO
2015-01-06	Name : The remote Fedora host is missing a security update. File : fedora_2014-16557.nasl - Type : ACT_GATHER_INFO
2014-12-26	Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2014-0084.nasl - Type : ACT_GATHER_INFO
2014-12-15	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1985.nasl - Type : ACT_GATHER_INFO
2014-12-15	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1984.nasl - Type : ACT_GATHER_INFO
2014-12-15	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-238.nasl - Type : ACT_GATHER_INFO
2014-12-15	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_ab3e98d9817511e4907dd050992ecde8.nasl - Type : ACT_GATHER_INFO
2014-12-15	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1985.nasl - Type : ACT_GATHER_INFO
2014-12-15	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1984.nasl - Type : ACT_GATHER_INFO
2014-12-12	Name : The remote name server is affected by multiple denial of service vulnerabilit... File : bind9_9101_p1.nasl - Type : ACT_GATHER_INFO
2014-12-10	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2437-1.nasl - Type : ACT_GATHER_INFO
2014-12-09	Name : The remote Debian host is missing a security-related update. File : debian_DSA-3094.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-12-12 09:28:28	Multiple Updates
2014-12-11 09:27:59	Multiple Updates
2014-12-10 13:27:02	Multiple Updates
2014-12-09 00:25:38	First insertion

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	7
CPE ID(s)	63
Snort® Rule(s)	1
Nessus® Exploit(s)	31

	Related
7.8	CVE-2014-8500
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)

7.8 - DSA-3094

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

Snort® IPS/IDS

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU