CVE: CVE-2019-6471
Document version: 2.0
Posting date: 19 June 2019
Program impacted: BIND
Versions affected: BIND 9.11.0 -> 9.11.7, 9.12.0 -> 9.12.4-P1,
9.14.0 -> 9.14.2. Also all releases of the BIND 9.13
development branch and version 9.15.0 of the BIND 9.15
development branch. BIND Supported Preview Edition
versions 9.11.3-S1 -> 9.11.7-S1.
Severity: Medium
Exploitable: Remotely
Description:
A race condition which may occur when discarding malformed packets
can result in BIND exiting due to a REQUIRE assertion failure
in dispatch.c.
Impact:
An attacker who can cause a resolver to perform queries which
will be answered by a server which responds with deliberately
malformed answers can cause named to exit, denying service to
clients.
CVSS Score: 5.9
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.
Workarounds:
None.
Active exploits:
None known.
Solution:
Upgrade to the patched release most closely related to your current version of BIND:
+ BIND 9.11.8
+ BIND 9.12.4-P2
+ BIND 9.14.3
+ BIND 9.15.1
BIND Supported Preview Edition is a special feature preview
branch of BIND provided to eligible ISC support customers.
+ BIND 9.11.8-S1
Acknowledgements:
ISC would like to thank CERN for helping us to discover this issue.
Document revision history:
1.0 Early Notification, 12 June 2019
2.0 Public Disclosure, 19 June 2019
Related documents:
See our BIND 9 Security Vulnerability Matrix for a complete
listing of security vulnerabilities and versions affected.