Executive Summary
Summary | |
---|---|
Title | ISC Bind 9 IXFR or DDNS update combined with high query rate DoS vulnerability |
Informations | |||
---|---|---|---|
Name | VU#559980 | First vendor Publication | 2011-02-22 |
Vendor | VU-CERT | Last vendor Modification | 2011-02-23 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:C) | |||
---|---|---|---|
Cvss Base Score | 7.1 | Attack Range | Network |
Cvss Impact Score | 6.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#559980ISC Bind 9 IXFR or DDNS update combined with high query rate DoS vulnerabilityOverviewA denial-of-service condition exists in certain cases when an ISC Bind server processes a IXFR transfer or dynamic update.I. DescriptionThe ISC security advisory states:"When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition." The ISC advisory contains the following workaround:
Referenceshttp://www.isc.org/software/bind/advisories/cve-2011-0414 Thanks to ISC for reporting this vulnerability. This document was written by Jared Allar.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/559980 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-399 | Resource Management Errors |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:12628 | |||
Oval ID: | oval:org.mitre.oval:def:12628 | ||
Title: | DSA-2208-2 bind9 -- denial of service | ||
Description: | The BIND, a DNS server, contains a defect related to the processing of new DNSSEC DS records by the caching resolver, which may lead to name resolution failures in the delegated zone. If DNSSEC validation is enabled, this issue can make domains ending in .COM unavailable when the DS record for .COM is added to the DNS root zone on March 31st, 2011. An unpatched server which is affected by this issue can be restarted, thus re-enabling resolution of .COM domains. Configurations not using DNSSEC validations are not affected by this usse. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2208-2 CVE-2011-0414 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | bind9 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:12924 | |||
Oval ID: | oval:org.mitre.oval:def:12924 | ||
Title: | DSA-2208-1 bind9 -- denial of service | ||
Description: | It was discovered that BIND, a DNS server, contains a race condition when processing zones updates in an authoritative server, either through dynamic DNS updates or incremental zone transfer. Such an update while processing a query could result in deadlock and denial of service. In addition, this security update addresses a defect related to the processing of new DNSSEC DS records by the caching resolver, which may lead to name resolution failures in the delegated zone. If DNSSEC validation is enabled, this issue can make domains ending in .COM unavailable when the DS record for .COM is added to the DNS root zone on March 31st, 2011. An unpatched server which is affected by this issue can be restarted, thus re-enabling resolution of .COM domains. This workaround applies to the version in oldstable, too. Configurations not using DNSSEC validations are not affected by this second issue. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2208-1 CVE-2011-0414 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | bind9 |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-08-10 | Name : Gentoo Security Advisory GLSA 201206-01 (bind) File : nvt/glsa_201206_01.nasl |
2011-05-12 | Name : Debian Security Advisory DSA 2208-1 (bind9) File : nvt/deb_2208_1.nasl |
2011-05-12 | Name : Debian Security Advisory DSA 2208-2 (bind9) File : nvt/deb_2208_2.nasl |
2011-02-28 | Name : Ubuntu Update for bind9 vulnerability USN-1070-1 File : nvt/gb_ubuntu_USN_1070_1.nasl |
2011-02-23 | Name : ISC BIND 9 IXFR Transfer/DDNS Update Remote Denial of Service Vulnerability File : nvt/gb_bind_46491.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
72539 | ISC BIND Authoritative Server Crafted IXFR / DDNS Query Update Deadlock DoS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-04-21 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2017-0066.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_bind-110224.nasl - Type : ACT_GATHER_INFO |
2012-06-21 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201206-01.nasl - Type : ACT_GATHER_INFO |
2011-03-31 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2208.nasl - Type : ACT_GATHER_INFO |
2011-02-24 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1070-1.nasl - Type : ACT_GATHER_INFO |
2011-02-23 | Name : The remote name server is affected by a denial of service vulnerability. File : bind9_973.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:07:58 |
|