ISC BIND 9 resolver.c Multiple DNS Cookie Packet Handling DoS

2016-03-17T00:00:00
ID BIND9_CVE-2016-2088.NASL
Type nessus
Reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-11-02T00:00:00

Description

According to its self-reported version number, ISC BIND installed on the remote name server is affected by a denial of service vulnerability in file resolver.c when DNS cookies are enabled. An unauthenticated, remote attacker can exploit his, via a malformed packet with more than one cookie option, to cause an INSIST assertion failure and daemon exit.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90000);
  script_version("1.8");
  script_cvs_date("Date: 2019/11/20");

  script_cve_id("CVE-2016-2088");

  script_name(english:"ISC BIND 9 resolver.c Multiple DNS Cookie Packet Handling DoS");
  script_summary(english:"Checks the version of BIND.");

  script_set_attribute(attribute:"synopsis", value:
"The remote name server is affected by a denial of service
vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, ISC BIND installed on
the remote name server is affected by a denial of service
vulnerability in file resolver.c when DNS cookies are enabled. An
unauthenticated, remote attacker can exploit his, via a malformed
packet with more than one cookie option, to cause an INSIST assertion
failure and daemon exit.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/docs/aa-01351");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/article/AA-01363/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to ISC BIND version 9.10.3-P4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2088");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/17");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:isc:bind");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"DNS");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("bind_version.nasl");
  script_require_keys("bind/version", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

ver = get_kb_item_or_exit("bind/version");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

if (
  # 9.10.x < 9.10.3-P4
  ver =~ "^9\.10\.[0-2](([ab]|beta|rc|-[PS])[0-9]*)?$" ||
  ver =~ "^9\.10\.3((([ab]|beta|rc)[0-9]*)|(-P[0-3]))?$"
)
{
  if (report_verbosity > 0)
  {
    items = make_array(
      "Installed version", ver,
      "Fixed version", "9.10.3-P4"
    );
    order = make_list("Installed version", "Fixed version");
    security_warning(
      port:53,
      proto:"udp",
      extra:report_items_str(
        report_items:items,
        ordered_fields:order
      )
    );
  }
  else security_warning(port:53, proto:"udp");
}
else audit(AUDIT_LISTEN_NOT_VULN, "BIND", 53, ver, "UDP");