ISC BIND 9 resolver.c Multiple DNS Cookie Packet Handling DoS

2016-03-17T00:00:00
ID BIND9_CVE-2016-2088.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

According to its self-reported version number, ISC BIND installed on the remote name server is affected by a denial of service vulnerability in file resolver.c when DNS cookies are enabled. An unauthenticated, remote attacker can exploit his, via a malformed packet with more than one cookie option, to cause an INSIST assertion failure and daemon exit.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90000);
  script_version("1.6");
  script_cvs_date("Date: 2018/11/15 20:50:21");

  script_cve_id("CVE-2016-2088");

  script_name(english:"ISC BIND 9 resolver.c Multiple DNS Cookie Packet Handling DoS");
  script_summary(english:"Checks the version of BIND.");

  script_set_attribute(attribute:"synopsis", value:
"The remote name server is affected by a denial of service
vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, ISC BIND installed on
the remote name server is affected by a denial of service
vulnerability in file resolver.c when DNS cookies are enabled. An
unauthenticated, remote attacker can exploit his, via a malformed
packet with more than one cookie option, to cause an INSIST assertion
failure and daemon exit.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/docs/aa-01351");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/article/AA-01363/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to ISC BIND version 9.10.3-P4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/17");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:isc:bind");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"DNS");

  script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");

  script_dependencies("bind_version.nasl");
  script_require_keys("bind/version", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

ver = get_kb_item_or_exit("bind/version");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

if (
  # 9.10.x < 9.10.3-P4
  ver =~ "^9\.10\.[0-2](([ab]|beta|rc|-[PS])[0-9]*)?$" ||
  ver =~ "^9\.10\.3((([ab]|beta|rc)[0-9]*)|(-P[0-3]))?$"
)
{
  if (report_verbosity > 0)
  {
    items = make_array(
      "Installed version", ver,
      "Fixed version", "9.10.3-P4"
    );
    order = make_list("Installed version", "Fixed version");
    security_hole(
      port:53,
      proto:"udp",
      extra:report_items_str(
        report_items:items,
        ordered_fields:order
      )
    );
  }
  else security_hole(port:53, proto:"udp");
}
else audit(AUDIT_LISTEN_NOT_VULN, "BIND", 53, ver, "UDP");