CVE-2009-4022

low
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438.

References

ftp://ftp.sco.com/pub/unixware7/714/security/p535243_uw7/p535243b.txt

http://aix.software.ibm.com/aix/efixes/security/bind9_advisory.asc

http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html

http://lists.vmware.com/pipermail/security-announce/2010/000082.html

http://osvdb.org/60493

http://secunia.com/advisories/37426

http://secunia.com/advisories/37491

http://secunia.com/advisories/38219

http://secunia.com/advisories/38240

http://secunia.com/advisories/38794

http://secunia.com/advisories/38834

http://secunia.com/advisories/39334

http://secunia.com/advisories/40730

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021660.1-1

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021798.1-1

http://support.apple.com/kb/HT5002

http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0018

http://www.ibm.com/support/docview.wss?uid=isg1IZ68597

http://www.ibm.com/support/docview.wss?uid=isg1IZ71667

http://www.ibm.com/support/docview.wss?uid=isg1IZ71774

http://www.kb.cert.org/vuls/id/418861

http://www.mandriva.com/security/advisories?name=MDVSA-2009:304

http://www.openwall.com/lists/oss-security/2009/11/24/1

http://www.openwall.com/lists/oss-security/2009/11/24/2

http://www.openwall.com/lists/oss-security/2009/11/24/8

http://www.redhat.com/support/errata/RHSA-2009-1620.html

http://www.securityfocus.com/bid/37118

http://www.ubuntu.com/usn/USN-888-1

http://www.vupen.com/english/advisories/2009/3335

http://www.vupen.com/english/advisories/2010/0176

http://www.vupen.com/english/advisories/2010/0528

http://www.vupen.com/english/advisories/2010/0622

https://bugzilla.redhat.com/show_bug.cgi?id=538744

https://exchange.xforce.ibmcloud.com/vulnerabilities/54416

https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04952488

https://issues.rpath.com/browse/RPL-3152

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10821

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11745

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7261

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7459

https://www.isc.org/advisories/CVE2009-4022

https://www.isc.org/advisories/CVE-2009-4022v6

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01172.html

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01188.html

Details

Source: MITRE

Published: 2009-11-25

Updated: 2017-09-19

Risk Information

CVSS v2

Base Score: 2.6

Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 4.9

Severity: LOW

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:isc:bind:9.0:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.0.0:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.0.0:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.0.0:rc3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.0.0:rc4:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.0.0:rc5:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.0.0:rc6:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.0.1:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.0.1:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.0.1:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1.0:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1.1:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1.1:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1.1:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1.1:rc3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1.1:rc4:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1.1:rc5:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1.1:rc6:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1.1:rc7:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1.2:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1.2:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1.3:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1.3:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1.3:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.1.3:rc3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:a1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:a2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:a3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:b1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:b2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:rc10:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:rc3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:rc4:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:rc5:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:rc6:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:rc7:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:rc8:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.0:rc9:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.1:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.1:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.1:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.2:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.2:p2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.2:p3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.2:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.3:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.3:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.3:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.3:rc3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.3:rc4:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.4:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.4:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.4:rc3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.4:rc4:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.4:rc5:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.4:rc6:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.4:rc7:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.4:rc8:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.5:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.5:b2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.5:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.6:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.6:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.7:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.7:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.7:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.7:rc3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.8:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.9:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.2.9:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.0:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.0:b2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.0:b3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.0:b4:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.0:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.0:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.0:rc3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.0:rc4:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.1:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.1:b2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.1:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.2:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.2:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.3:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.3:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.3:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.3:rc3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.4:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.5:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.5:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.5:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.6:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.3.6:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.0:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.0:a1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.0:a2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.0:a3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.0:a4:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.0:a5:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.0:a6:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.0:b1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.0:b2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.0:b3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.0:b4:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.0:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.0:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.1:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.2:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.2:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.2:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.3:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.3:b1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.3:b2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.3:b3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.3:p1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.3:p2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.3:p3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.4.3:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:a1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:a2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:a3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:a4:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:a5:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:a6:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:a7:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:b1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:b2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:b3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:p1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:p2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:p2_w1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:p2_w2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.0:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.1:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.1:b1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.1:b2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.1:b3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.1:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.1:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.2:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.2:b1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.5.2:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.6.0:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.6.0:a1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.6.0:b1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.6.0:p1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.6.0:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.6.0:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.6.1:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.6.1:b1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.6.1:p1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.6.1:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.7.0:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.7.0:a1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.7.0:a2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.7.0:a3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.7.0:b1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.7.0:b2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.7.0:b3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.7.0:p1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.7.0:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.7.0:rc2:*:*:*:*:*:*

Tenable Plugins

View all (33 total)

IDNameProductFamilySeverity
89737VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2010-0004) (remote check)NessusVMware ESX Local Security Checks
high
78835F5 Networks BIG-IP : BIND vulnerability (SOL15787)NessusF5 Networks Local Security Checks
high
78697F5 Networks BIG-IP : BIND vulnerability (SOL15748)NessusF5 Networks Local Security Checks
medium
78124F5 Networks BIG-IP : DNSSEC BIND vulnerability (SOL10898)NessusF5 Networks Local Security Checks
low
67965Oracle Linux 5 : bind (ELSA-2009-1620)NessusOracle Linux Local Security Checks
low
60726Scientific Linux Security Update : bind on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
60697Scientific Linux Security Update : bind on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
low
56481Mac OS X Multiple Vulnerabilities (Security Update 2011-006)NessusMacOS X Local Security Checks
critical
54879Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 8.1 / 9.0 / 9.1 / current : bind (SSA:2010-176-01)NessusSlackware Local Security Checks
medium
54874Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 8.1 / 9.0 / 9.1 / current : bind (SSA:2009-336-01)NessusSlackware Local Security Checks
low
46813HP-UX PHNE_40339 : s700_800 11.23 BIND 9.2.0 Revision 5.0NessusHP-UX Local Security Checks
high
46778GLSA-201006-11 : BIND: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
44993VMSA-2010-0004 : ESX Service Console and vMA third-party updatesNessusVMware ESX Local Security Checks
high
44826Debian DSA-1961-1 : bind9 - DNS cache poisoningNessusDebian Local Security Checks
low
44311SuSE 11 Security Update : bind (SAT Patch Number 1844)NessusSuSE Local Security Checks
medium
44309openSUSE Security Update : bind (bind-1845)NessusSuSE Local Security Checks
medium
44307openSUSE Security Update : bind (bind-1845)NessusSuSE Local Security Checks
medium
44305openSUSE Security Update : bind (bind-1843)NessusSuSE Local Security Checks
medium
44106Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : bind9 vulnerabilities (USN-888-1)NessusUbuntu Local Security Checks
medium
44102Mandriva Linux Security Advisory : bind (MDVSA-2010:021)NessusMandriva Local Security Checks
high
43809CentOS 5 : bind (CESA-2009:1620)NessusCentOS Local Security Checks
low
43058Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : bind9 vulnerability (USN-865-1)NessusUbuntu Local Security Checks
low
42999Mandriva Linux Security Advisory : bind (MDVSA-2009:313-1)NessusMandriva Local Security Checks
low
42983ISC BIND 9 DNSSEC Cache PoisoningNessusDNS
low
42956SuSE 11 Security Update : bind (SAT Patch Number 1617)NessusSuSE Local Security Checks
low
42954openSUSE Security Update : bind (bind-1615)NessusSuSE Local Security Checks
low
42951openSUSE Security Update : bind (bind-1615)NessusSuSE Local Security Checks
low
42949openSUSE Security Update : bind (bind-1615)NessusSuSE Local Security Checks
low
42946RHEL 5 : bind (RHSA-2009:1620)NessusRed Hat Local Security Checks
low
42918Mandriva Linux Security Advisory : php (MDVSA-2009:304)NessusMandriva Local Security Checks
high
42911Fedora 12 : bind-9.6.1-13.P2.fc12 (2009-12233)NessusFedora Local Security Checks
low
42910Fedora 11 : bind-9.6.1-7.P2.fc11 (2009-12218)NessusFedora Local Security Checks
low
5243ISC BIND 9 DNSSEC Query Response Remote Cache PoisoningNessus Network MonitorDNS Servers
medium