ISC BIND is prone to a cache poisoning vulnerability.
# Copyright (C) 2022 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
CPE = "cpe:/a:isc:bind";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.113847");
script_version("2022-11-30T10:12:07+0000");
script_tag(name:"last_modification", value:"2022-11-30 10:12:07 +0000 (Wed, 30 Nov 2022)");
script_tag(name:"creation_date", value:"2022-03-18 10:55:12 +0000 (Fri, 18 Mar 2022)");
script_tag(name:"cvss_base", value:"4.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:S/C:N/I:P/A:N");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2022-11-28 18:14:00 +0000 (Mon, 28 Nov 2022)");
script_cve_id("CVE-2021-25220");
script_tag(name:"qod_type", value:"remote_banner");
script_tag(name:"solution_type", value:"VendorFix");
script_name("ISC BIND Cache Poisoning Vulnerability (CVE-2021-25220) - Windows");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2022 Greenbone Networks GmbH");
script_family("General");
script_dependencies("gb_isc_bind_consolidation.nasl", "os_detection.nasl");
script_mandatory_keys("isc/bind/detected", "Host/runs_windows");
script_tag(name:"summary", value:"ISC BIND is prone to a cache poisoning vulnerability.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"When using forwarders, bogus NS records supplied by, or via,
those forwarders may be cached and used by named if it needs to recurse for any reason, causing it
to obtain and pass on potentially incorrect answers.
Some examples of configurations that will be vulnerable are:
- Resolvers using per zone or global forwarding with forward first (forward first is the default).
- Resolvers not using global forwarding, but with per-zone forwarding with either forward first
(the default) or forward only.
- Resolvers configured with global forwarding along with zone statements that disable forwarding
for part of the DNS namespace.
Authoritative-only BIND 9 servers are not vulnerable to this flaw.");
script_tag(name:"impact", value:"The cache could become poisoned with incorrect records leading to
queries being made to the wrong servers, which might also result in false information being
returned to clients.");
script_tag(name:"affected", value:"ISC BIND versions 9.1.0 through 9.11.36, 9.12.0 through
9.16.26, 9.11.4-S1 through 9.11.36-S1, 9.16.8-S1 through 9.16.26-S1 and 9.17.0 through 9.18.0.
Versions of BIND 9 back to 9.1.0, including Supported Preview Editions - are believed to be
affected but have not been tested by the vendor as they are EOL.");
script_tag(name:"solution", value:"Update to version 9.11.37, 9.16.27, 9.18.1, 9.11.37-S1,
9.16.27-S1 or later.");
script_xref(name:"URL", value:"https://kb.isc.org/docs/cve-2021-25220");
exit(0);
}
include("host_details.inc");
include("version_func.inc");
if (isnull(port = get_app_port(cpe: CPE)))
exit(0);
if (!infos = get_app_full(cpe: CPE, port: port, exit_no_version: TRUE))
exit(0);
version = infos["version"];
proto = infos["proto"];
location = infos["location"];
if (version =~ "^9\.[0-9]+\.[0-9]+s[0-9]") {
if (version_in_range(version: version, test_version: "9.11.4s1", test_version2: "9.11.36s1")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.11.37-S1", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
if (version_in_range(version: version, test_version: "9.16.8s1", test_version2: "9.16.26s1")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.16.27-S1", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
} else {
if (version_in_range(version: version, test_version: "9.1.0", test_version2: "9.11.36")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.11.37", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
if (version_in_range(version: version, test_version: "9.12.0", test_version2: "9.16.26")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.16.27", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
if (version_in_range(version: version, test_version: "9.17.0", test_version2: "9.18.0")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.18.1", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
}
exit(99);