5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.01 Low
EPSS
Percentile
83.6%
ISC (Internet Systems Consortiuim) BIND fails to properly set default access control lists. This may allow unauthorized users to make recursive querries and querry the cache.
From the ISC BIND security page:
The default access control lists (acls) are not being correctly set. If not set anyone can make recursive queries and/or query the cache contents.
Note that the BIND advisory lists BIND 9.4.0, 9.4.1, 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, and 9.5.0a5 as the versions affected.
A remote, unauthenticated attacker may be able to cause a vulnerable DNS server perform recursion. This could be used to perform denial-of-service attacks. An attacker may also be able to querry the cache.
Upgrade or Patch
This issue is addressed in ISC BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6. Users who obtain BIND from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors.
Workarounds for administrators of non-publicly accessisble recursive DNS servers
* Using firewall rules, limit access to the DNS server to authorized networks.
Workarounds for administrators of publicly accessisble recursive DNS servers
* Rate limiting the number of external recursion requests may mitigate potential abuse of the DNS server.
187297
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: July 27, 2007 Updated: July 30, 2007
Affected
The Debian project has fixed this vulnerability in its stable distribution Debian GNU/Linux 4.0 in version 9.3.4-2etch1 of bind9 and in its old stable distribution Debian GNU/Linux 3.1 in version 9.2.4-1sarge3 of bind9 via Debian Security Advisory 1341 as in
<<http://www.debian.org/security/2007/dsa-1341>>
The vendor has not provided us with any further information regarding this vulnerability.
Updated: July 27, 2007
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
See <http://www.isc.org/sw/bind/bind-security.php> for more details.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23187297 Feedback>).
Notified: July 27, 2007 Updated: July 30, 2007
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 30, 2007
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: August 08, 2007
Not Affected
Openwall GNU/*/Linux is not vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 28, 2007
Not Affected
These issues did not affect the versions of Bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: August 02, 2007
Not Affected
SUSE is not affected by VU#187297 (CVE-2007-2925). We are not shipping bind 9.4 or later at this time.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: August 03, 2007
Not Affected
Sun is not impacted by CERT VU#187297 since we don’t ship any versions of BIND which are impacted.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 27, 2007 Updated: July 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
View all 39 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to ISC for information that was used in this report.
This document was written by Ryan Giobbi.
CVE IDs: | CVE-2007-2925 |
---|---|
Severity Metric: | 16.98 Date Public: |