A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally. The most likely scenario where this might occur is if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible. Versions affected: BIND 9.12.0-> 9.12.4, 9.14.0. Also affects all releases in the 9.13 development branch.

An update of the bindutils package has been released.

According to the versions of the bind packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A programming error in the nxdomain-redirect feature     can cause an assertion failure in query.c if the     alternate namespace used by nxdomain-redirect is a     descendant of a zone that is served locally. The most     likely scenario where this might occur is if the     server, in addition to performing NXDOMAIN redirection     for recursive clients, is also serving a local copy of     the root zone or using mirroring to provide the root     zone, although other configurations are also possible.
    Versions affected: BIND 9.12.0-> 9.12.4, 9.14.0. Also     affects all releases in the 9.13 development     branch.(CVE-2019-6467)

  - With pipelining enabled each incoming query on a TCP     connection requires a similar resource allocation to a     query received via UDP or via TCP without pipelining     enabled. A client using a TCP-pipelined connection to a     server could consume more resources than the server has     been provisioned to handle. When a TCP connection with     a large number of pipelined queries is closed, the load     on the server releasing these multiple resources can     cause it to become unresponsive, even for queries that     can be answered authoritatively or from cache. (This is     most likely to be perceived as an intermittent server     problem).(CVE-2019-6477)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the bind packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - With pipelining enabled each incoming query on a TCP     connection requires a similar resource allocation to a     query received via UDP or via TCP without pipelining     enabled. A client using a TCP-pipelined connection to a     server could consume more resources than the server has     been provisioned to handle. When a TCP connection with     a large number of pipelined queries is closed, the load     on the server releasing these multiple resources can     cause it to become unresponsive, even for queries that     can be answered authoritatively or from cache. (This is     most likely to be perceived as an intermittent server     problem).(CVE-2019-6477)

  - A programming error in the nxdomain-redirect feature     can cause an assertion failure in query.c if the     alternate namespace used by nxdomain-redirect is a     descendant of a zone that is served locally. The most     likely scenario where this might occur is if the     server, in addition to performing NXDOMAIN redirection     for recursive clients, is also serving a local copy of     the root zone or using mirroring to provide the root     zone, although other configurations are also possible.
    Versions affected: BIND 9.12.0-> 9.12.4, 9.14.0. Also     affects all releases in the 9.13 development     branch.(CVE-2019-6467)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ISC BIND versions 9.12.x prior to 9.12.4-P1, or 9.13.x prior to 9.14.1 are affected by a DoS vulnerability in the nxdomain-redirect feature in the query.c. An unauthenticated, remote attacker can exploit this issue, to cause the application to stop responding.

ID	Name	Product	Family	Severity
203761	Photon OS 3.0: Bindutils PHSA-2020-3.0-0049	Nessus	PhotonOS Local Security Checks	medium
135142	EulerOS Virtualization for ARM 64 3.0.6.0 : bind (EulerOS-SA-2020-1355)	Nessus	Huawei Local Security Checks	high
133975	EulerOS 2.0 SP8 : bind (EulerOS-SA-2020-1141)	Nessus	Huawei Local Security Checks	high
132987	Photon OS 2.0: Bindutils PHSA-2020-2.0-0199	Nessus	PhotonOS Local Security Checks	high
124588	ISC BIND 9.12.x < 9.12.4-P1, 9.13.x < 9.14.1 Denial of Service Vulnerability	Nessus	DNS	high

Detections

Analytics

CVE-2019-6467

high

Tenable Plugins

medium

high

high

high

high