CERTVU:187297ISC BIND does not correctly set default access controls
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.01 Low
EPSS
Percentile
83.6%
Overview
ISC (Internet Systems Consortiuim) BIND fails to properly set default access control lists. This may allow unauthorized users to make recursive querries and querry the cache.
Description
From the ISC BIND security page:
The default access control lists (acls) are not being correctly set. If not set anyone can make recursive queries and/or query the cache contents.
Note that the BIND advisory lists BIND 9.4.0, 9.4.1, 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, and 9.5.0a5 as the versions affected.
Impact
A remote, unauthenticated attacker may be able to cause a vulnerable DNS server perform recursion. This could be used to perform denial-of-service attacks. An attacker may also be able to querry the cache.
Solution
Upgrade or Patch
This issue is addressed in ISC BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6. Users who obtain BIND from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors.
Workarounds for administrators of non-publicly accessisble recursive DNS servers
* Using firewall rules, limit access to the DNS server to authorized networks.
Workarounds for administrators of publicly accessisble recursive DNS servers
* Rate limiting the number of external recursion requests may mitigate potential abuse of the DNS server.
Vendor Information
187297
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Debian GNU/Linux __ Affected
Notified: July 27, 2007 Updated: July 30, 2007
Status
Affected
Vendor Statement
The Debian project has fixed this vulnerability in its stable distribution Debian GNU/Linux 4.0 in version 9.3.4-2etch1 of bind9 and in its old stable distribution Debian GNU/Linux 3.1 in version 9.2.4-1sarge3 of bind9 via Debian Security Advisory 1341 as in
<<http://www.debian.org/security/2007/dsa-1341>>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Internet Software Consortium __ Affected
Updated: July 27, 2007
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
See <http://www.isc.org/sw/bind/bind-security.php> for more details.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23187297 Feedback>).
EMC Corporation Not Affected
Notified: July 27, 2007 Updated: July 30, 2007
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Hitachi Not Affected
Notified: July 27, 2007 Updated: July 30, 2007
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Openwall GNU/*/Linux __ Not Affected
Notified: July 27, 2007 Updated: August 08, 2007
Status
Not Affected
Vendor Statement
Openwall GNU/*/Linux is not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Red Hat, Inc. __ Not Affected
Notified: July 27, 2007 Updated: July 28, 2007
Status
Not Affected
Vendor Statement
These issues did not affect the versions of Bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
SUSE Linux __ Not Affected
Notified: July 27, 2007 Updated: August 02, 2007
Status
Not Affected
Vendor Statement
SUSE is not affected by VU#187297 (CVE-2007-2925). We are not shipping bind 9.4 or later at this time.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sun Microsystems, Inc. __ Not Affected
Notified: July 27, 2007 Updated: August 03, 2007
Status
Not Affected
Vendor Statement
Sun is not impacted by CERT VU#187297 since we don’t ship any versions of BIND which are impacted.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Apple Computer, Inc. Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Conectiva Inc. Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Cray Inc. Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Engarde Secure Linux Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
F5 Networks, Inc. Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Fedora Project Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
FreeBSD, Inc. Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Fujitsu Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Gentoo Linux Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Hewlett-Packard Company Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM Corporation Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Immunix Communications, Inc. Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Ingrian Networks, Inc. Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Juniper Networks, Inc. Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Mandriva, Inc. Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Microsoft Corporation Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
MontaVista Software, Inc. Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NEC Corporation Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NetBSD Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Novell, Inc. Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
OpenBSD Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
QNX, Software Systems, Inc. Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Silicon Graphics, Inc. Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Slackware Linux Inc. Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sony Corporation Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
The SCO Group Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Trustix Secure Linux Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Turbolinux Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Ubuntu Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Unisys Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Wind River Systems, Inc. Unknown
Notified: July 27, 2007 Updated: July 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
View all 39 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.isc.org/sw/bind/bind-security.php>
- <http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html>
Acknowledgements
Thanks to ISC for information that was used in this report.
This document was written by Ryan Giobbi.
Other Information
| CVE IDs: | CVE-2007-2925 |
|---|---|
| Severity Metric: | 16.98 Date Public: |
Related
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.01 Low
EPSS
Percentile
83.6%