Authentication Bypass

2019-01-1509:18:18

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

JSON

bind is vulnerable to authentication bypass attacks. The vulnerability exists as an attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: providing an AXFR of a zone to an unauthorized recipient or accepting bogus NOTIFY packets.

CPENameOperatorVersion
bindeq9.7.0__5.P2.el6_0.1
bindeq9.8.2__0.17.rc1.el6.3
bindeq9.8.2__0.30.rc1.el6
bindeq9.7.3__2.el6_1.P1.1
bindeq9.8.2__0.10.rc1.el6_3.2
bindeq9.7.3__2.el6_1.P3.3
bindeq9.8.2__0.17.rc1.el6_4.4
bindeq9.8.2__0.37.rc1.el6_7.2
bindeq9.8.2__0.10.rc1.el6_3.1
bindeq9.8.2__0.17.rc1.el6_4.6

Name	Operator	Version
bind	eq	9.7.0__5.P2.el6_0.1
bind	eq	9.8.2__0.17.rc1.el6.3
bind	eq	9.8.2__0.30.rc1.el6
bind	eq	9.7.3__2.el6_1.P1.1
bind	eq	9.8.2__0.10.rc1.el6_3.2
bind	eq	9.7.3__2.el6_1.P3.3
bind	eq	9.8.2__0.17.rc1.el6_4.4
bind	eq	9.8.2__0.37.rc1.el6_7.2
bind	eq	9.8.2__0.10.rc1.el6_3.1
bind	eq	9.8.2__0.17.rc1.el6_4.6