Lucene search

K
certCERTVU:360341
HistoryJan 19, 2010 - 12:00 a.m.

BIND 9 DNSSEC validation code could cause fake NXDOMAIN responses

2010-01-1900:00:00
www.kb.cert.org
34

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.013 Low

EPSS

Percentile

85.3%

Overview

A vulnerability exists in the BIND 9 DNSSEC validation code that could be used by an attacker to generate fake NXDOMAIN responses.

Description

BIND 9 contains a vulnerability in DNSSEC validation code. According to ISC:

_There was an error in the DNSSEC NSEC/NSEC3 validation code that could cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records proven by NSEC or NSEC3 to exist) to be cached as if they had validated correctly, so that future queries to the resolver would return the bogus NXDOMAIN with the AD flag set. _

This issue affects BIND versions 9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 -> 9.4.3-P4, 9.5.0 -> 9.5.2-P1, 9.6.0 -> 9.6.1-P2


Impact

An attacker may be able to add fake NXDOMAIN records to a resolver’s cache.


Solution

Upgrade BIND to version 9.4.3-P5, 9.5.2-P2 or 9.6.1-P3.


Vendor Information

360341

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Fedora Project __ Affected

Notified: January 15, 2010 Updated: January 27, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Fedora has published more information regarding this issue:

<http://lists.fedoraproject.org/pipermail/package-announce/2010-January/034196.html&gt;

Internet Systems Consortium __ Affected

Notified: January 15, 2010 Updated: January 19, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Please see <https://www.isc.org/advisories/CVE-2010-0097&gt; for more information regarding the vulnerability.

Red Hat, Inc. __ Affected

Notified: January 15, 2010 Updated: January 27, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Red Hat has published more information regarding this issue:

<http://rhn.redhat.com/errata/RHSA-2010-0062.html&gt;

Sun Microsystems, Inc. __ Affected

Notified: January 15, 2010 Updated: January 27, 2010

Statement Date: January 21, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Please see the following document for more information:

<http://sunsolve.sun.com/search/document.do?assetkey=1-66-275890-1&gt;

The SCO Group Affected

Notified: January 15, 2010 Updated: January 27, 2010

Statement Date: January 18, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu __ Affected

Notified: January 15, 2010 Updated: January 27, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Ubuntu has published more information regarding this issue:

<http://www.ubuntu.com/usn/USN-888-1&gt;

Alcatel-Lucent Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

BlueCat Networks, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Check Point Software Technologies Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ericsson Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GNU glibc Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gnu ADNS Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

McAfee Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Men & Mice Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nominum Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nortel Networks, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX Software Systems Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Shadowsupport Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified: January 15, 2010 Updated: January 14, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 53 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

<https://www.isc.org/advisories/CVE-2010-0097&gt;

Acknowledgements

This issue was reported by ISC.

This document was written by David Warren.

Other Information

CVE IDs: CVE-2010-0097
Date Public: 2010-01-19 Date First Published:

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.013 Low

EPSS

Percentile

85.3%