According to its self-reported version number, the instance of ISC BIND running on the remote name server is affected by multiple denial of service vulnerabilities :
A denial of service vulnerability exists in files sexpr.c and alist.c when handling control channel packets. An unauthenticated, remote attacker can exploit this, via crafted packets sent to the control channel (rndc) interface, to cause an assertion failure and daemon exit. (CVE-2016-1285)
A denial of service vulnerability exists in resolver.c when DNS cookies are enabled. An unauthenticated, remote attacker can exploit this, via a malformed cookie with more than one cookie option, to cause an INSIST assertion failure and daemon exit. (CVE-2016-2088)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(89998);
script_version("1.13");
script_cvs_date("Date: 2019/11/20");
script_cve_id("CVE-2016-1285", "CVE-2016-2088");
script_name(english:"ISC BIND 9 Multiple DoS");
script_summary(english:"Checks the version of BIND.");
script_set_attribute(attribute:"synopsis", value:
"The remote name server is affected by multiple denial of service
vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the instance of ISC
BIND running on the remote name server is affected by multiple denial
of service vulnerabilities :
- A denial of service vulnerability exists in files
sexpr.c and alist.c when handling control channel
packets. An unauthenticated, remote attacker can
exploit this, via crafted packets sent to the control
channel (rndc) interface, to cause an assertion failure
and daemon exit. (CVE-2016-1285)
- A denial of service vulnerability exists in resolver.c
when DNS cookies are enabled. An unauthenticated, remote
attacker can exploit this, via a malformed cookie with
more than one cookie option, to cause an INSIST
assertion failure and daemon exit. (CVE-2016-2088)
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/docs/aa-01352");
script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/article/AA-01362/");
script_set_attribute(attribute:"solution", value:
"Upgrade to ISC BIND version 9.9.8-P4 / 9.9.8-S6 / 9.10.3-P4 or later.
Note that version 9.9.8-S6 is a preview version of BIND provided
exclusively to ISC Support customers. Additionally, the fix for
CVE-2016-2088 is only available in version 9.10.3-P4.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2088");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/09");
script_set_attribute(attribute:"patch_publication_date", value:"2016/03/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/17");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:isc:bind");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"DNS");
script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("bind_version.nasl");
script_require_keys("bind/version", "Settings/ParanoidReport");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
ver = get_kb_item_or_exit("bind/version");
if (report_paranoia < 2) audit(AUDIT_PARANOID);
if (
# 9.2.0 < 9.x < 9.9.8-P4/9.9.8-S6
ver =~ "^9\.[2-8]\.[0-9](([ab]|beta|rc|-[PS])[0-9]*)?$" ||
ver =~ "^9\.9\.[0-7](([ab]|beta|rc|-[PS])[0-9]*)?$" ||
ver =~ "^9\.9\.8((([ab]|beta|rc)[0-9]*)|(-P[0-3])|(-S[0-5]))?$" ||
# 9.10.x < 9.10.3-P4
ver =~ "^9\.10\.[0-2](([ab]|beta|rc|-[PS])[0-9]*)?$" ||
ver =~ "^9\.10\.3((([ab]|beta|rc)[0-9]*)|(-P[0-3]))?$"
)
{
if (report_verbosity > 0)
{
items = make_array(
"Installed version", ver,
"Fixed version", "9.9.8-P4 / 9.9.8-S6 / 9.10.3-P4"
);
order = make_list("Installed version", "Fixed version");
security_warning(
port:53,
proto:"udp",
extra:report_items_str(
report_items:items,
ordered_fields:order
)
);
}
else security_warning(port:53, proto:"udp");
}
else audit(AUDIT_LISTEN_NOT_VULN, "BIND", 53, ver, "UDP");