5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.205 Low
EPSS
Percentile
96.4%
A vulnerability in the BIND name server could allow a remote attacker to cause a denial of service against an affected system.
The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). A flaw exists in the way that some versions of BIND handle DNS Security Extensions (DNSSEC) signed Resource Record Sets (RRsets).
The specific impact of this vulnerability is slightly different depending on the type of DNS server involved. For recursive servers, queries for SIG records will trigger an assertion failure if more than one SIG(covered) RRset is returned. For authoritative servers, if a name server is serving a RFC 2535 DNSSEC zone and is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g., a zone apex) then the name server daemon will trigger an assertion failure when it tries to construct the response.
This vulnerability affects BIND 9.3.x versions 9.3.0, 9.3.1, 9.3.2, 9.3.3b, and 9.3.3rc1, and BIND 9.4.x versions 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, and 9.4.0b1.
A remote attacker may be able to cause the name server daemon to crash, thereby causing a denial of service for DNS operations.
Apply a patch from the vendor
Patches have been released in response to this issue. Please see the Systems Affected section of this document.
Upgrade
Users who compile their own versions of BIND from the original ISC source code are encouraged to upgrade to BIND 9.3.2-P1. Patches for this issue are also included in BIND versions 9.3.3rc2 and 9.4.0b2. Patched versions of the software are available from the BIND download page.
Restrict Access
Administrators, particularly those who are unable to apply a patch, can limit exposure to this vulnerability by restricting sources that can ask for recursion.
915404
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: August 23, 2006 Updated: September 11, 2006
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The Debian Security Team has published Debian Security Advisory DSA-1172 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23915404 Feedback>).
Notified: August 23, 2006 Updated: September 07, 2006
Affected
F5 was provided with advance notice of this advisory, and has prepared patches for all affected actively-supported versions of BIG-IP and Enterprise Manager. These patches will be released immediately upon final verification of test results.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: September 07, 2006
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The FreeBSD development team has published FreeBSD Security Advisory FreeBSD-SA-06:20.bind in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
The bind9
FreeBSD port was also updated on 2006-09-06 to include patches for this issue. Users who obtain BIND from the FreeBSD ports collection are encourage to upgrade to this version (or later) of the port.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23915404 Feedback>).
Notified: August 23, 2006 Updated: October 02, 2006
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Gentoo has published Gentoo Linux Security Advisory GLSA 200609-11 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23915404 Feedback>).
Notified: August 18, 2006 Updated: September 06, 2006
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The Internet Software Consortium has published an alert on its BIND Vulnerabilities page (see CVE-2006-4095). Users who compile BIND from the original ISC source code distribution are encouraged to upgrade to BIND version 9.4.0b2, 9.3.3rc2, 9.3.2-P1, 9.2.7rc1, or 9.2.6-P1 (or later) as appropriate.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23915404 Feedback>).
Notified: August 23, 2006 Updated: September 11, 2006
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Mandriva has published Mandriva Advisory MDKSA-2006:163 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23915404 Feedback>).
Notified: August 23, 2006 Updated: October 02, 2006
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
NetBSD has published NetBSD Security Advisory 2006-022 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23915404 Feedback>).
Notified: August 23, 2006 Updated: September 07, 2006
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Patches for this issue were committed to the HEAD
, OPENBSD_3_8
, and OPENBSD_3_9
branches of OpenBSD CVS repository on 2006-09-05. Users of OpenBSD-current and OpenBSD-stable can obtain these patches via the usual mechanisms for CVS access.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23915404 Feedback>).
Updated: September 07, 2006
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The OpenPKG security team has published OpenPKG Security Advisory OpenPKG-SA-2006.019 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23915404 Feedback>).
Notified: August 23, 2006 Updated: September 11, 2006
Affected
We have fixed these issues by updating to BIND 9.3.2-P1 (with our usual modifications) in Owl-current as of 2006/09/06 and Owl 2.0-stable as of 2006/09/09.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: October 02, 2006
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Slackware has published Slackware Security Advisory SSA:2006-257-01 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23915404 Feedback>).
Notified: August 23, 2006 Updated: October 02, 2006
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Trustix has published Trustix Secure Linux Security Advisory #2006-0051 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23915404 Feedback>).
Notified: August 23, 2006 Updated: September 07, 2006
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The Ubuntu development team has published Ubuntu Security Notice USN-343-1 in response to this issue. Users are encouraged to review this notice and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23915404 Feedback>).
Updated: September 25, 2006
Affected
`rPath Security Advisory: 2006-0166-1
Published: 2006-09-08
Products: rPath Linux 1
Rating: Major
Exposure Level Classification:
Remote Deterministic Denial of Service
Updated Versions:
bind=/conary.rpath.com@rpl:devel//1/9.3.2_P1-0.1-1
bind-utils=/conary.rpath.com@rpl:devel//1/9.3.2_P1-0.1-1
References:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4095>
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4096>
<https://issues.rpath.com/browse/RPL-626>
Description:
Previous versions of the bind package are vulnerable to
to multiple remote denial of service attacks.`
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: September 05, 2006
Not Affected
HI-UX/WE2 is NOT vulnerable to this issue.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: September 07, 2006
Not Affected
Infoblox does not believe Infoblox NIOS software is vulnerable to this issue.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: September 05, 2006
Not Affected
Juniper Networks products are not susceptible to this vulnerability
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: September 14, 2006
Not Affected
Sun does not ship a version of BIND which is impacted by CERT VU#697164 or VU#915404 in any of the currently supported releases of Solaris: Solaris 8, 9, and 10.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 23, 2006 Updated: August 23, 2006
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
View all 54 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to Joao Damas of the Internet Software Consortium for reporting this vulnerability.
This document was written by Chad R Dougherty.
CVE IDs: | CVE-2006-4095 |
---|---|
Severity Metric: | 7.83 Date Public: |
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.205 Low
EPSS
Percentile
96.4%