CVE-2016-9778
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
An error in handling certain queries can cause an assertion failure when a server is using the nxdomain-redirect feature to cover a zone for which it is also providing authoritative service. A vulnerable server could be intentionally stopped by an attacker if it was using a configuration that met the criteria for the vulnerability and if the attacker could cause it to accept a query that possessed the required attributes. Please note: This vulnerability affects the "nxdomain-redirect" feature, which is one of two methods of handling NXDOMAIN redirection, and is only available in certain versions of BIND. Redirection using zones of type "redirect" is not affected by this vulnerability. Affects BIND 9.9.8-S1 -> 9.9.8-S3, 9.9.9-S1 -> 9.9.9-S6, 9.11.0-9.11.0-P1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ISC | BIND 9 | BIND 9 9.9.8-S1 -> 9.9.8-S3, 9.9.9-S1 -> 9.9.9-S6, 9.11.0-9.11.0-P1 | affected |
Weaknesses
- Only servers which are performing NXDOMAIN redirection using the "nxdomain-redirect" function are potentially vulnerable and then only a subset of those servers. In order to be affected a server must be using nxdomain-redirect AND must be redirecting NXDOMAIN responses for a zone for which the server also provides authoritative service – therefore a purely recursive server is not at risk, either. Successful exploitation of the vulnerability will cause named to stop execution after encountering a REQUIRE assertion failure in db.c, resulting in denial of service to clients.
Workarounds
Either provide an ordinary (that is: not redirected) NXDOMAIN for non-existent resource records in zones for which authoritative data is served on the same server or use redirect zones instead of the nxdomain-redirect feature.
ADP Enrichment
CVE Program Container
Additional References
- http://www.securitytracker.com/id/1037582
- https://security.gentoo.org/glsa/201708-01
- https://security.netapp.com/advisory/ntap-20180926-0005/
- https://kb.isc.org/article/AA-01442/
- http://www.securityfocus.com/bid/95388
References
- http://www.securitytracker.com/id/1037582
- https://security.gentoo.org/glsa/201708-01
- https://security.netapp.com/advisory/ntap-20180926-0005/
- https://kb.isc.org/article/AA-01442/
- http://www.securityfocus.com/bid/95388
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.