ISC BIND 9 Multiple DoS

2016-03-1700:00:00

www.tenable.com

According to its self-reported version number, the instance of ISC BIND running on the remote name server is affected by multiple denial of service vulnerabilities :

A denial of service vulnerability exists in files sexpr.c and alist.c when handling control channel packets. An unauthenticated, remote attacker can exploit this, via crafted packets sent to the control channel (rndc) interface, to cause an assertion failure and daemon exit. (CVE-2016-1285)
A denial of service vulnerability exists in resolver.c when DNS cookies are enabled. An unauthenticated, remote attacker can exploit this, via a malformed cookie with more than one cookie option, to cause an INSIST assertion failure and daemon exit. (CVE-2016-2088)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(89998);
  script_version("1.13");
  script_cvs_date("Date: 2019/11/20");

  script_cve_id("CVE-2016-1285", "CVE-2016-2088");

  script_name(english:"ISC BIND 9 Multiple DoS");
  script_summary(english:"Checks the version of BIND.");

  script_set_attribute(attribute:"synopsis", value:
"The remote name server is affected by multiple denial of service
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the instance of ISC
BIND running on the remote name server is affected by multiple denial
of service vulnerabilities :

  - A denial of service vulnerability exists in files
    sexpr.c and alist.c when handling control channel
    packets. An unauthenticated, remote attacker can
    exploit this, via crafted packets sent to the control
    channel (rndc) interface, to cause an assertion failure
    and daemon exit. (CVE-2016-1285)

  - A denial of service vulnerability exists in resolver.c
    when DNS cookies are enabled. An unauthenticated, remote
    attacker can exploit this, via a malformed cookie with
    more than one cookie option, to cause an INSIST
    assertion failure and daemon exit. (CVE-2016-2088)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/docs/aa-01352");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/article/AA-01362/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to ISC BIND version 9.9.8-P4 / 9.9.8-S6 / 9.10.3-P4 or later.
Note that version 9.9.8-S6 is a preview version of BIND provided
exclusively to ISC Support customers. Additionally, the fix for
CVE-2016-2088 is only available in version 9.10.3-P4.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2088");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/17");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:isc:bind");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"DNS");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("bind_version.nasl");
  script_require_keys("bind/version", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

ver = get_kb_item_or_exit("bind/version");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

if (
  # 9.2.0 < 9.x < 9.9.8-P4/9.9.8-S6
  ver =~ "^9\.[2-8]\.[0-9](([ab]|beta|rc|-[PS])[0-9]*)?$" ||
  ver =~ "^9\.9\.[0-7](([ab]|beta|rc|-[PS])[0-9]*)?$" ||
  ver =~ "^9\.9\.8((([ab]|beta|rc)[0-9]*)|(-P[0-3])|(-S[0-5]))?$" ||

  # 9.10.x < 9.10.3-P4
  ver =~ "^9\.10\.[0-2](([ab]|beta|rc|-[PS])[0-9]*)?$" ||
  ver =~ "^9\.10\.3((([ab]|beta|rc)[0-9]*)|(-P[0-3]))?$"
)
{
  if (report_verbosity > 0)
  {
    items = make_array(
      "Installed version", ver,
      "Fixed version", "9.9.8-P4 / 9.9.8-S6 / 9.10.3-P4"
    );
    order = make_list("Installed version", "Fixed version");
    security_warning(
      port:53,
      proto:"udp",
      extra:report_items_str(
        report_items:items,
        ordered_fields:order
      )
    );
  }
  else security_warning(port:53, proto:"udp");
}
else audit(AUDIT_LISTEN_NOT_VULN, "BIND", 53, ver, "UDP");

VendorProductVersionCPE
iscbindcpe:/a:isc:bind

Vendor	Product	Version	CPE
isc	bind		cpe:/a:isc:bind

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2088

kb.isc.org/article/AA-01362/

kb.isc.org/docs/aa-01352

JSON

Related for BIND9_CVE-2016-1285.NASL