ISC BIND 9 Recursive Response DNAME Record Handling DoS

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(94577);
  script_version("1.11");
  script_cvs_date("Date: 2018/12/07 17:08:17");

  script_cve_id("CVE-2016-8864");
  script_bugtraq_id(94067);

  script_name(english:"ISC BIND 9 Recursive Response DNAME Record Handling DoS");
  script_summary(english:"Checks the version of BIND.");

  script_set_attribute(attribute:"synopsis", value:
"The remote name server is affected by a denial of service
vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the instance of ISC
BIND 9 running on the remote name server is affected by a denial of
service vulnerability due to improper handling of a recursive response
containing a DNAME record in the answer section. An unauthenticated,
remote attacker can exploit this to cause an assertion failure and
daemon exit.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/article/AA-01434/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to ISC BIND version 9.9.9-P4 / 9.9.9-S6 / 9.10.4-P4 /
9.11.0-P1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-8864");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/11/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/04");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:isc:bind");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"DNS");

  script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("bind_version.nasl");
  script_require_keys("bind/version", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

ver = get_kb_item_or_exit("bind/version");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

if (
  # 9.0.x < 9.8.x 
  ver =~ "^9\.[0-8](\.[0-9])?([^0-9]|$)" ||

  # 9.9.0 < 9.9.9-P4/9.9.9-S6
  ver =~ "^9\.9\.[0-8](([ab]|beta|rc)[0-9]*|(-[PSW][0-9]*){1,2})?$" ||
  ver =~ "^9\.9\.9((([ab]|beta|rc)[0-9]*)|(-P[0-3])|(-S[0-5]))?$" ||

  # 9.10.x < 9.10.4-P4
  ver =~ "^9\.10\.[0-3](([ab]|beta|rc|-[PS])[0-9]*)?$" ||
  ver =~ "^9\.10\.4((([ab]|beta|rc)[0-9]*)|(-P[0-3]))?$" ||

  # 9.11.0
  ver =~ "^9\.11\.0($|([ab]|beta|rc)[0-9]*$)"

)
{
  items = make_array(
    "Installed version", ver,
    "Fixed version", "9.9.9-P4 / 9.9.9-S6 / 9.10.4-P4 / 9.11.0-P1"
  );
  order = make_list("Installed version", "Fixed version");
  security_report_v4(
    severity:SECURITY_WARNING,
    port:53,
    proto:"udp",
    extra:report_items_str(
      report_items:items,
      ordered_fields:order
    )
  );
}
else audit(AUDIT_LISTEN_NOT_VULN, "BIND", 53, ver, "UDP");