6.5 Medium
AI Score
Confidence
Low
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
75.0%
ISC BIND is prone to a vulnerability in the Winsock API.
# Copyright (C) 2021 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
CPE = "cpe:/a:isc:bind";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.146642");
script_version("2021-09-06T13:13:18+0000");
script_tag(name:"last_modification", value:"2021-09-06 13:13:18 +0000 (Mon, 06 Sep 2021)");
script_tag(name:"creation_date", value:"2021-09-06 12:31:07 +0000 (Mon, 06 Sep 2021)");
script_tag(name:"cvss_base", value:"6.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_cve_id("CVE-2013-6230");
script_tag(name:"qod_type", value:"remote_banner");
script_tag(name:"solution_type", value:"VendorFix");
script_name("ISC BIND Winsock API Vulnerability (CVE-2013-6230) - Windows");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2021 Greenbone Networks GmbH");
script_family("General");
script_dependencies("gb_isc_bind_consolidation.nasl", "os_detection.nasl");
script_mandatory_keys("isc/bind/detected", "Host/runs_windows");
script_tag(name:"summary", value:"ISC BIND is prone to a vulnerability in the Winsock API.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"On some Microsoft Windows systems, a network interface that has
an 'all ones' IPv4 subnet mask (255.255.255.255) will be incorrectly reported (by the Winsock
WSAIoctl API) as an all zeroes value (0.0.0.0). Because interfaces' netmasks are used to compute
the broadcast domain for each interface during construction of the built-in 'localnets' ACL, an
all zeroes netmask can cause matches on any IPv4 address, permitting unexpected access to any
BIND feature configured to allow access to 'localnets'. And unless overridden by a specific value
in named.conf, the default permissions for several BIND features (for example, allow-query-cache,
allow-query-cache-on, allow-recursion, and others) use this predefined 'localnets' ACL.
In addition, non-default access controls and other directives using an address match list with
the predefined 'localnets' ACL may not match as expected. This may include rndc 'controls',
'allow-notify', 'allow-query', 'allow-transfer', 'allow-update', 'blackhole', 'filter-aaaa',
'deny-answer-addresses', 'exempt-clients', and other directives if an administrator has specified
the 'localnets' ACL in their match lists.");
script_tag(name:"impact", value:"Under this defect, access controls and other directives which
use 'localnets' as part of the address match list may match much more broadly than was intended
by the server administrator. Please note that in addition to configuration statements where the
'localnets' acl is used explicitly, 'localnets' may also be used in the default behavior for some
features (such as 'allow-recursion') unless specifically overridden in the configuration file.
Allowing recursion to all reachable IPv4 addresses entails a number of risks, including increased
exposure to cache poisoning and the possibility of being used in a reflection attack.");
script_tag(name:"affected", value:"BIND 9.6-ESV through 9.6-ESV-R10, 9.8.0 through 9.8.6, 9.9.0
through 9.9.4, 9.9.3-S1 and 9.9.4-S1 on Windows.");
script_tag(name:"solution", value:"Update to version 9.6-ESV-R10-P1, 9.8.6-P1, 9.9.4-P1 or later.");
script_xref(name:"URL", value:"https://kb.isc.org/docs/aa-01062");
exit(0);
}
include("host_details.inc");
include("version_func.inc");
if (isnull(port = get_app_port(cpe: CPE)))
exit(0);
if (!infos = get_app_full(cpe: CPE, port: port, exit_no_version: TRUE))
exit(0);
version = infos["version"];
proto = infos["proto"];
location = infos["location"];
if (version =~ "^9\.9\.[0-9]+s[0-9]") {
if (version_is_equal(version: version, test_version: "9.9.3s1") ||
version_is_equal(version: version, test_version: "9.9.4s1")) {
report = report_fixed_ver(installed_version: version, fixed_version: "See advisory", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
} else {
if (version_in_range(version: version, test_version: "9.6", test_version2: "9.6.10")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.6-ESV-R10-P1", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
if (version_in_range(version: version, test_version: "9.8.0", test_version2: "9.8.6")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.8.6-P1", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
if (version_in_range(version: version, test_version: "9.9.0", test_version2: "9.9.4")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.9.4-P1", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
}
exit(99);