ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol.

The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5747-1 advisory.

  - ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the     named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a     long request that uses the lightweight resolver protocol. (CVE-2016-2775)

  - ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1 allows primary DNS     servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly     allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response and allows     remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE     message. (CVE-2016-6170)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version MAIN 4.05, has bind packages installed that are affected by multiple vulnerabilities:

  - A flaw was found in the way BIND handled TSIG     authentication for dynamic updates. A remote attacker     able to communicate with an authoritative BIND server     could use this flaw to manipulate the contents of a     zone, by forging a valid TSIG or SIG(0) signature for a     dynamic update request. (CVE-2017-3143)

  - A flaw was found in the way BIND handled TSIG     authentication of AXFR requests. A remote attacker, able     to communicate with an authoritative BIND server, could     use this flaw to view the entire contents of a zone by     sending a specially constructed request packet.
    (CVE-2017-3142)

  - A denial of service flaw was found in the way BIND     handled DNSSEC validation. A remote attacker could use     this flaw to make named exit unexpectedly with an     assertion failure via a specially crafted DNS response.
    (CVE-2017-3139)

  - A denial of service flaw was found in the way BIND     handled a query response containing CNAME or DNAME     resource records in an unusual order. A remote attacker     could use this flaw to make named exit unexpectedly with     an assertion failure via a specially crafted DNS     response. (CVE-2017-3137)

  - It was found that the lightweight resolver protocol     implementation in BIND could enter an infinite recursion     and crash when asked to resolve a query name which, when     combined with a search list entry, exceeds the maximum     allowable length. A remote attacker could use this flaw     to crash lwresd or named when using the lwres     statement in named.conf. (CVE-2016-2775)

  - A denial of service flaw was found in the way BIND     handled query requests when using DNS64 with break-     dnssec yes option. A remote attacker could use this     flaw to make named exit unexpectedly with an assertion     failure via a specially crafted DNS request.
    (CVE-2017-3136)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the bind packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A denial of service flaw was found in the way BIND     constructed a response to a query that met certain     criteria. A remote attacker could use this flaw to make     named exit unexpectedly with an assertion failure via a     specially crafted DNS request packet.(CVE-2016-2776)

  - A denial of service flaw was found in the way BIND     processed certain control channel input. A remote     attacker able to send a malformed packet to the control     channel could use this flaw to cause named to     crash.(CVE-2016-1285)

  - A flaw was found in the way BIND performed DNSSEC     validation. An attacker able to make BIND (functioning     as a DNS resolver with DNSSEC validation enabled)     resolve a name in an attacker-controlled domain could     cause named to exit unexpectedly with an assertion     failure.(CVE-2015-4620)

  - A flaw was found in the way BIND handled requests for     TKEY DNS resource records. A remote attacker could use     this flaw to make named (functioning as an     authoritative DNS server or a DNS resolver) exit     unexpectedly with an assertion failure via a specially     crafted DNS request packet.(CVE-2015-5477)

  - A denial of service flaw was found in the way BIND     handled queries for NSEC3-signed zones. A remote     attacker could use this flaw against an authoritative     name server that served NCES3-signed zones by sending a     specially crafted query, which, when processed, would     cause named to crash.(CVE-2014-0591)

  - A denial of service flaw was found in the way BIND     parsed certain malformed DNSSEC keys. A remote attacker     could use this flaw to send a specially crafted DNS     query (for example, a query requiring a response from a     zone containing a deliberately malformed key) that     would cause named functioning as a validating resolver     to crash.(CVE-2015-5722)

  - It was found that the lightweight resolver protocol     implementation in BIND could enter an infinite     recursion and crash when asked to resolve a query name     which, when combined with a search list entry, exceeds     the maximum allowable length. A remote attacker could     use this flaw to crash lwresd or named when using the     'lwres' statement in named.conf.(CVE-2016-2775)

  - A denial of service flaw was found in the way BIND     processed certain records with malformed class     attributes. A remote attacker could use this flaw to     send a query to request a cached record with a     malformed class attribute that would cause named     functioning as an authoritative or recursive server to     crash. Note: This issue affects authoritative servers     as well as recursive servers, however authoritative     servers are at limited risk if they perform     authentication when making recursive queries to resolve     addresses for servers listed in NS     RRSETs.(CVE-2015-8000)

  - A denial of service flaw was found in the way BIND     handled responses containing a DNAME answer. A remote     attacker could use this flaw to make named exit     unexpectedly with an assertion failure via a specially     crafted DNS response.(CVE-2016-8864)

  - A denial of service flaw was found in the way BIND     processed a response to an ANY query. A remote attacker     could use this flaw to make named exit unexpectedly     with an assertion failure via a specially crafted DNS     response.(CVE-2016-9131)

  - A denial of service flaw was found in the way BIND     followed DNS delegations. A remote attacker could use a     specially crafted zone containing a large number of     referrals which, when looked up and processed, would     cause named to use excessive amounts of memory or     crash.(CVE-2014-8500)

  - A flaw was found in the way BIND handled trust anchor     management. A remote attacker could use this flaw to     cause the BIND daemon (named) to crash under certain     conditions.(CVE-2015-1349)

  - A denial of service flaw was found in the way BIND     parsed signature records for DNAME records. By sending     a specially crafted query, a remote attacker could use     this flaw to cause named to crash.(CVE-2016-1286)

  - A use-after-free flaw leading to denial of service was     found in the way BIND internally handled cleanup     operations on upstream recursion fetch contexts. A     remote attacker could potentially use this flaw to make     named, acting as a DNSSEC validating resolver, exit     unexpectedly with an assertion failure via a specially     crafted DNS request.(CVE-2017-3145)

  - A denial of service flaw was found in the way BIND     handled query requests when using DNS64 with     'break-dnssec yes' option. A remote attacker could use     this flaw to make named exit unexpectedly with an     assertion failure via a specially crafted DNS     request.(CVE-2017-3136)

  - A flaw was found in the way BIND handled TSIG     authentication of AXFR requests. A remote attacker,     able to communicate with an authoritative BIND server,     could use this flaw to view the entire contents of a     zone by sending a specially constructed request     packet.(CVE-2017-3142)

  - A flaw was found in the way BIND handled TSIG     authentication for dynamic updates. A remote attacker     able to communicate with an authoritative BIND server     could use this flaw to manipulate the contents of a     zone, by forging a valid TSIG or SIG(0) signature for a     dynamic update request.(CVE-2017-3143)

  - A denial of service flaw was discovered in bind     versions that include the 'deny-answer-aliases'     feature. This flaw may allow a remote attacker to     trigger an INSIST assert in named leading to     termination of the process and a denial of service     condition.(CVE-2018-5740)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for bind is now available for Red Hat Enterprise Linux 7.2 Extended Update Support and Red Hat Enterprise Linux 7.3 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix(es) :

* It was found that the lightweight resolver protocol implementation in BIND could enter an infinite recursion and crash when asked to resolve a query name which, when combined with a search list entry, exceeds the maximum allowable length. A remote attacker could use this flaw to crash lwresd or named when using the 'lwres' statement in named.conf. (CVE-2016-2775)

The version of bind installed on the remote AIX host is affected by the following vulnerabilities :

  - A denial of service vulnerability exists due to an error     in the lightweight resolver (lwres) protocol     implementation when resolving a query name that, when     combined with a search list entry, exceeds the maximum     allowable length. An unauthenticated, remote attacker     can exploit this to cause a segmentation fault,     resulting in a denial of service condition. This issue     occurs when lwresd or the the named 'lwres' option is     enabled. (CVE-2016-2775)

  - A denial of service vulnerability exists within file     buffer.c due to improper construction of responses to     crafted requests. An unauthenticated, remote attacker     can exploit this, via a specially crafted query, to     cause an assertion failure, resulting in a daemon exit.
    (CVE-2016-2776)

This update for bind fixes the following issues :

CVE-2017-3137 (bsc#1033467): Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could have been exploited to cause a denial of service of a bind server performing recursion.

CVE-2017-3136 (bsc#1033466): An attacker could have constructed a query that would cause a denial of service of servers configured to use DNS64.

CVE-2017-3138 (bsc#1033468): An attacker with access to the BIND control channel could have caused the server to stop by triggering an assertion failure.

CVE-2016-6170 (bsc#987866): Primary DNS servers could have caused a denial of service of secondary DNS servers via a large AXFR response.
IXFR servers could have caused a denial of service of IXFR clients via a large IXFR response. Remote authenticated users could have caused a denial of service of primary DNS servers via a large UPDATE message.

CVE-2016-2775 (bsc#989528): When lwresd or the named lwres option were enabled, bind allowed remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol.

One additional non-security bug was fixed :

The default umask was changed to 077. (bsc#1020983)

This update was imported from the SUSE:SLE-12-SP1:Update update project.

This update for bind fixes the following security issues:
CVE-2017-3137 (bsc#1033467): Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could have been exploited to cause a denial of service of a bind server performing recursion. CVE-2017-3136 (bsc#1033466): An attacker could have constructed a query that would cause a denial of service of servers configured to use DNS64.
CVE-2017-3138 (bsc#1033468): An attacker with access to the BIND control channel could have caused the server to stop by triggering an assertion failure. CVE-2016-6170 (bsc#987866): Primary DNS servers could have caused a denial of service of secondary DNS servers via a large AXFR response. IXFR servers could have caused a denial of service of IXFR clients via a large IXFR response. Remote authenticated users could have caused a denial of service of primary DNS servers via a large UPDATE message. CVE-2016-2775 (bsc#989528):
When lwresd or the named lwres option were enabled, bind allowed remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for bind fixes the following issues: CVE-2017-3137 (bsc#1033467): Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could have been exploited to cause a denial of service of a bind server performing recursion. CVE-2017-3136 (bsc#1033466): An attacker could have constructed a query that would cause a denial of service of servers configured to use DNS64. CVE-2017-3138 (bsc#1033468): An attacker with access to the BIND control channel could have caused the server to stop by triggering an assertion failure. CVE-2016-6170 (bsc#987866): Primary DNS servers could have caused a denial of service of secondary DNS servers via a large AXFR response. IXFR servers could have caused a denial of service of IXFR clients via a large IXFR response. Remote authenticated users could have caused a denial of service of primary DNS servers via a large UPDATE message. CVE-2016-2775 (bsc#989528): When lwresd or the named lwres option were enabled, bind allowed remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for bind fixes the following issues: CVE-2017-3137 (bsc#1033467): Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could have been exploited to cause a denial of service of a bind server performing recursion. CVE-2017-3136 (bsc#1033466): An attacker could have constructed a query that would cause a denial of service of servers configured to use DNS64. CVE-2017-3138 (bsc#1033468): An attacker with access to the BIND control channel could have caused the server to stop by triggering an assertion failure. CVE-2016-6170 (bsc#987866): Primary DNS servers could have caused a denial of service of secondary DNS servers via a large AXFR response. IXFR servers could have caused a denial of service of IXFR clients via a large IXFR response. Remote authenticated users could have caused a denial of service of primary DNS servers via a large UPDATE message. CVE-2016-2775 (bsc#989528): When lwresd or the named lwres option were enabled, bind allowed remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol. One additional non-security bug was fixed: The default umask was changed to 077. (bsc#1020983)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the bind packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2,     and 9.11.x before 9.11.0b2, when lwresd or the named     lwres option is enabled, allows remote attackers to     cause a denial of service (daemon crash) via a long     request that uses the lightweight resolver     protocol.(CVE-2016-2775)

  - buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x     before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not     properly construct responses, which allows remote     attackers to cause a denial of service (assertion     failure and daemon exit) via a crafted     query.(CVE-2016-2776)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of ISC BIND 9.x prior to 9.9.9-P1, 9.9.9-S3, 9.10.4-P1 and 9.11.0b1 are unpatched for a flaw in 'lwresd' that is triggered during the handling of 'getrrsetbyname()' with a non-absolute name, which can cause an infinite recursion.  This may allow a remote attacker to cause a denial of service.

The remote host is affected by the vulnerability described in GLSA-201610-07 (BIND: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in BIND. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could cause a Denial of Service condition through       multiple attack vectors.
  Workaround :

    There is no known workaround at this time.

CVE-2016-2775

lwresd crash with long query name Backport of upstream commit 38cc2d14e218e536e0102fa70deef99461354232.

CVE-2016-2776

assertion failure due to unspecified crafted query Fix based on 43139-9-9.patch from ISC.

For Debian 7 'Wheezy', these problems have been fixed in version 1:9.8.4.dfsg.P1-6+nmu2+deb7u11.

We recommend that you upgrade your bind9 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Two vulnerabilities were reported in BIND, a DNS server.

  - CVE-2016-2775     The lwresd component in BIND (which is not enabled by     default) could crash while processing an overlong     request name. This could lead to a denial of service.

  - CVE-2016-2776     A crafted query could crash the BIND name server daemon,     leading to a denial of service. All server roles     (authoritative, recursive and forwarding) in default     configurations are affected.

It was found that the lightweight resolver could crash due to an error when asked to resolve a query name which, when combined with a search list entry, exceeds the maximum allowable length. A remote attacker could use this flaw to crash lwresd or named when using the 'lwres' statement in named.conf.

Security fix for CVE-2016-2775

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ISC reports :

A query name which is too long can cause a segmentation fault in lwresd.

New bind packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue.

According to its self-reported version number, the installation of ISC BIND running on the remote name server is 9.x prior to 9.9.9-P2, 9.10.x prior to 9.10.4-P2, or 9.11.0a3 prior to 9.11.0b2. It is, therefore, affected by an error in the lightweight resolver (lwres) protocol implementation when resolving a query name that, when combined with a search list entry, exceeds the maximum allowable length. An unauthenticated, remote attacker can exploit this to cause a segmentation fault, resulting in a denial of service condition. This issue occurs when lwresd or the the named 'lwres' option is enabled.

ID	Name	Product	Family	Severity
168280	Ubuntu 16.04 ESM : Bind vulnerabilities (USN-5747-1)	Nessus	Ubuntu Local Security Checks	medium
127330	NewStart CGSL MAIN 4.05 : bind Multiple Vulnerabilities (NS-SA-2019-0102)	Nessus	NewStart CGSL Local Security Checks	medium
124936	EulerOS Virtualization 3.0.1.0 : bind (EulerOS-SA-2019-1433)	Nessus	Huawei Local Security Checks	medium
102726	RHEL 7 : bind (RHSA-2017:2533)	Nessus	Red Hat Local Security Checks	medium
102125	AIX bind Advisory : bind_advisory13.asc (IV89828) (IV89829) (IV89830) (IV89831) (IV90056)	Nessus	AIX Local Security Checks	high
99499	openSUSE Security Update : bind (openSUSE-2017-491)	Nessus	SuSE Local Security Checks	high
99358	SUSE SLES11 Security Update : bind (SUSE-SU-2017:1000-1)	Nessus	SuSE Local Security Checks	high
99357	SUSE SLES12 Security Update : bind (SUSE-SU-2017:0999-1)	Nessus	SuSE Local Security Checks	high
99356	SUSE SLED12 / SLES12 Security Update : bind (SUSE-SU-2017:0998-1)	Nessus	SuSE Local Security Checks	high
97416	EulerOS 2.0 SP1 : bind (EulerOS-SA-2016-1052)	Nessus	Huawei Local Security Checks	high
9874	ISC BIND 9.x < 9.9.9-P1 / 9.9.9-S3 / 9.10.4-P1 / 9.11.0b1 DoS	Nessus Network Monitor	DNS Servers	medium
93994	GLSA-201610-07 : BIND: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
93868	Debian DLA-645-1 : bind9 security update	Nessus	Debian Local Security Checks	high
93748	Debian DSA-3680-1 : bind9 - security update	Nessus	Debian Local Security Checks	high
93537	Amazon Linux AMI : bind (ALAS-2016-745)	Nessus	Amazon Linux Local Security Checks	medium
93020	Fedora 23 : 32:bind (2016-3fba74e7f5)	Nessus	Fedora Local Security Checks	medium
92798	Fedora 23 : 12:dhcp / bind99 (2016-2941b3264e)	Nessus	Fedora Local Security Checks	medium
92772	FreeBSD : bind -- denial of service vulnerability (7a31e0de-5b6d-11e6-b334-002590263bf5)	Nessus	FreeBSD Local Security Checks	medium
92647	Fedora 24 : bind99 (2016-53f0c65f40)	Nessus	Fedora Local Security Checks	medium
92645	Fedora 24 : 32:bind (2016-007efacd1c)	Nessus	Fedora Local Security Checks	medium
92523	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : bind (SSA:2016-204-01)	Nessus	Slackware Local Security Checks	medium
92493	ISC BIND 9.x < 9.9.9-P2 / 9.10.x < 9.10.4-P2 / 9.11.0a3 < 9.11.0b2 lwres Query DoS	Nessus	DNS	medium

Detections

Analytics

CVE-2016-2775

medium

Tenable Plugins

medium

medium

medium

medium

high

high

high

high

high

high

medium

high

high

high

medium

medium

medium

medium

medium

medium

medium

medium