With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2020-1845 advisory.

  - With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to     a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection     to a server could consume more resources than the server has been provisioned to handle. When a TCP     connection with a large number of pipelined queries is closed, the load on the server releasing these     multiple resources can cause it to become unresponsive, even for queries that can be answered     authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).
    (CVE-2019-6477)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-1061 advisory.

  - Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones     are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and     versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13     development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for     vulnerability to CVE-2019-6465. (CVE-2019-6465)

  - managed-keys is a feature which allows a BIND resolver to automatically maintain the keys used by trust     anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys     feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if,     during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm.
    Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions     9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13     development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for     vulnerability to CVE-2018-5745. (CVE-2018-5745)

  - With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to     a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection     to a server could consume more resources than the server has been provisioned to handle. When a TCP     connection with a large number of pipelined queries is closed, the load on the server releasing these     multiple resources can cause it to become unresponsive, even for queries that can be answered     authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).
    (CVE-2019-6477)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has bind packages installed that are affected by multiple vulnerabilities:

  - managed-keys is a feature which allows a BIND resolver to automatically maintain the keys used by trust     anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys     feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if,     during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm.
    Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions     9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13     development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for     vulnerability to CVE-2018-5745. (CVE-2018-5745)

  - Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones     are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and     versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13     development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for     vulnerability to CVE-2019-6465. (CVE-2019-6465)

  - With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to     a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection     to a server could consume more resources than the server has been provisioned to handle. When a TCP     connection with a large number of pipelined queries is closed, the load on the server releasing these     multiple resources can cause it to become unresponsive, even for queries that can be answered     authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).
    (CVE-2019-6477)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has bind packages installed that are affected by multiple vulnerabilities:

  - managed-keys is a feature which allows a BIND resolver to automatically maintain the keys used by trust     anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys     feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if,     during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm.
    Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions     9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13     development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for     vulnerability to CVE-2018-5745. (CVE-2018-5745)

  - Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones     are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and     versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13     development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for     vulnerability to CVE-2019-6465. (CVE-2019-6465)

  - With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to     a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection     to a server could consume more resources than the server has been provisioned to handle. When a TCP     connection with a large number of pipelined queries is closed, the load on the server releasing these     multiple resources can cause it to become unresponsive, even for queries that can be answered     authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).
    (CVE-2019-6477)

  - Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an     inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the     server. Since BIND, by default, configures a local session key even on servers whose configuration does     not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating     from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately     exits. Prior to the introduction of the check the server would continue operating in an inconsistent     state, with potentially harmful results. (CVE-2020-8617)

  - A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches     performed when processing referrals can, through the use of specially crafted referrals, cause a recursing     server to issue a very large number of fetches in an attempt to process the referral. This has at least     two potential effects: The performance of the recursing server can potentially be degraded by the     additional work required to perform these fetches, and The attacker can exploit this behavior to use the     recursing server as a reflector in a reflection attack with a high amplification factor. (CVE-2020-8616)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for bind fixes the following issues :

BIND was upgraded to version 9.16.6 :

Note :

bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC.

Fixing security issues :

CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server.
(bsc#1171740) Address records are limited to 4 for any domain.

CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740)

CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051).

CVE-2018-5741: Fixed the documentation (bsc#1109160).

CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958).

CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958).

CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains.
The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443).

CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443).

CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443).

CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443).

CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443).

Other issues fixed :

Add engine support to OpenSSL EdDSA implementation.

Add engine support to OpenSSL ECDSA implementation.

Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.

Warn about AXFR streams with inconsistent message IDs.

Make ISC rwlock implementation the default again.

Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)

Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)

Fixed an issue where bind was not working in FIPS mode (bsc#906079).

Fixed dependency issues (bsc#1118367 and bsc#1118368).

GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).

Fixed an issue with FIPS (bsc#1128220).

The liblwres library is discontinued upstream and is no longer included.

Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).

Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.

The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.

Zone timers are now exported via statistics channel.

The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.

'rndc dnstap -roll <value>' did not limit the number of saved files to <value>.

Add 'rndc dnssec -status' command.

Addressed a couple of situations where named could crash.

Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf]

Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).

Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail.
(bsc#1173311, bsc#1176674, bsc#1170713)

/usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313]

Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092).

Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for bind fixes the following issues :

BIND was upgraded to version 9.16.6 :

Note :

  - bind is now more strict in regards to DNSSEC. If queries     are not working, check for DNSSEC issues. For instance,     if bind is used in a namserver forwarder chain, the     forwarding DNS servers must support DNSSEC.

Fixing security issues :

  - CVE-2020-8616: Further limit the number of queries that     can be triggered from a request. Root and TLD servers     are no longer exempt from max-recursion-queries. Fetches     for missing name server. (bsc#1171740) Address records     are limited to 4 for any domain.

  - CVE-2020-8617: Replaying a TSIG BADTIME response as a     request could trigger an assertion failure.
    (bsc#1171740)

  - CVE-2019-6477: Fixed an issue where TCP-pipelined     queries could bypass the tcp-clients limit     (bsc#1157051).

  - CVE-2018-5741: Fixed the documentation (bsc#1109160).

  - CVE-2020-8618: It was possible to trigger an INSIST when     determining whether a record would fit into a TCP     message buffer (bsc#1172958).

  - CVE-2020-8619: It was possible to trigger an INSIST in     lib/dns/rbtdb.c:new_reference() with a particular zone     content and query patterns (bsc#1172958).

  - CVE-2020-8624: 'update-policy' rules of type 'subdomain'     were incorrectly treated as 'zonesub' rules, which     allowed keys used in 'subdomain' rules to update names     outside of the specified subdomains. The problem was     fixed by making sure 'subdomain' rules are again     processed as described in the ARM (bsc#1175443).

  - CVE-2020-8623: When BIND 9 was compiled with native     PKCS#11 support, it was possible to trigger an assertion     failure in code determining the number of bits in the     PKCS#11 RSA public key with a specially crafted packet     (bsc#1175443).

  - CVE-2020-8621: named could crash in certain query     resolution scenarios where QNAME minimization and     forwarding were both enabled (bsc#1175443).

  - CVE-2020-8620: It was possible to trigger an assertion     failure by sending a specially crafted large TCP DNS     message (bsc#1175443).

  - CVE-2020-8622: It was possible to trigger an assertion     failure when verifying the response to a TSIG-signed     request (bsc#1175443).

Other issues fixed :

  - Add engine support to OpenSSL EdDSA implementation.

  - Add engine support to OpenSSL ECDSA implementation.

  - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.

  - Warn about AXFR streams with inconsistent message IDs.

  - Make ISC rwlock implementation the default again.

  - Fixed issues when using cookie-secrets for AES and SHA2     (bsc#1161168)

  - Installed the default files in /var/lib/named and     created chroot environment on systems using     transactional-updates (bsc#1100369, fate#325524)

  - Fixed an issue where bind was not working in FIPS mode     (bsc#906079).

  - Fixed dependency issues (bsc#1118367 and bsc#1118368).

  - GeoIP support is now discontinued, now GeoIP2 is     used(bsc#1156205).

  - Fixed an issue with FIPS (bsc#1128220).

  - The liblwres library is discontinued upstream and is no     longer included.

  - Added service dependency on NTP to make sure the clock     is accurate when bind is starts (bsc#1170667,     bsc#1170713).

  - Reject DS records at the zone apex when loading master     files. Log but otherwise ignore attempts to add DS     records at the zone apex via UPDATE.

  - The default value of 'max-stale-ttl' has been changed     from 1 week to 12 hours.

  - Zone timers are now exported via statistics channel.

  - The 'primary' and 'secondary' keywords, when used as     parameters for 'check-names', were not processed     correctly and were being ignored.

  - 'rndc dnstap -roll <value>' did not limit the number of     saved files to <value>.

  - Add 'rndc dnssec -status' command.

  - Addressed a couple of situations where named could     crash.

  - Changed /var/lib/named to owner root:named and perms     rwxrwxr-t so that named, being a/the only member of the     'named' group has full r/w access yet cannot change     directories owned by root in the case of a compromized     named. [bsc#1173307, bind-chrootenv.conf]

  - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in     /etc/sysconfig/named to suppress warning message re     missing file (bsc#1173983).

  - Removed '-r /dev/urandom' from all invocations of     rndc-confgen (init/named system/lwresd.init     system/named.init in vendor-files) as this option is     deprecated and causes rndc-confgen to fail.
    (bsc#1173311, bsc#1176674, bsc#1170713)

  - /usr/bin/genDDNSkey: Removing the use of the -r option     in the call of /usr/sbin/dnssec-keygen as BIND now uses     the random number functions provided by the crypto     library (i.e., OpenSSL or a PKCS#11 provider) as a     source of randomness rather than /dev/random. Therefore     the -r command line option no longer has any effect on     dnssec-keygen. Leaving the option in genDDNSkey as to     not break compatibility. Patch provided by Stefan     Eisenwiener. [bsc#1171313]

  - Put libns into a separate subpackage to avoid file     conflicts in the libisc subpackage due to different     sonums (bsc#1176092).

  - Require /sbin/start_daemon: both init scripts, the one     used in systemd context as well as legacy sysv, make use     of start_daemon.

This update was imported from the SUSE:SLE-15:Update update project.

The remote NewStart CGSL host, running version MAIN 6.01, has bind packages installed that are affected by multiple vulnerabilities:

  - With pipelining enabled each incoming query on a TCP     connection requires a similar resource allocation to a     query received via UDP or via TCP without pipelining     enabled. A client using a TCP-pipelined connection to a     server could consume more resources than the server has     been provisioned to handle. When a TCP connection with a     large number of pipelined queries is closed, the load on     the server releasing these multiple resources can cause     it to become unresponsive, even for queries that can be     answered authoritatively or from cache. (This is most     likely to be perceived as an intermittent server     problem). (CVE-2019-6477)

  - A malicious actor who intentionally exploits this lack     of effective limitation on the number of fetches     performed when processing referrals can, through the use     of specially crafted referrals, cause a recursing server     to issue a very large number of fetches in an attempt to     process the referral. This has at least two potential     effects: The performance of the recursing server can     potentially be degraded by the additional work required     to perform these fetches, and The attacker can exploit     this behavior to use the recursing server as a reflector     in a reflection attack with a high amplification factor.
    (CVE-2020-8616)

  - Using a specially-crafted message, an attacker may     potentially cause a BIND server to reach an inconsistent     state if the attacker knows (or successfully guesses)     the name of a TSIG key used by the server. Since BIND,     by default, configures a local session key even on     servers whose configuration does not otherwise make use     of it, almost all current BIND servers are vulnerable.
    In releases of BIND dating from March 2018 and after, an     assertion check in tsig.c detects this inconsistent     state and deliberately exits. Prior to the introduction     of the check the server would continue operating in an     inconsistent state, with potentially harmful results.
    (CVE-2020-8617)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

'managed-keys' is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5745 . (CVE-2018-5745)

With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem). (CVE-2019-6477)

Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected:
BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition.
Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465 . (CVE-2019-6465)

Several vulnerabilities were discovered in BIND, a DNS server implementation.

  - CVE-2019-6477     It was discovered that TCP-pipelined queries can bypass     tcp-client limits resulting in denial of service.

  - CVE-2020-8616     It was discovered that BIND does not sufficiently limit     the number of fetches performed when processing     referrals. An attacker can take advantage of this flaw     to cause a denial of service (performance degradation)     or use the recursing server in a reflection attack with     a high amplification factor.

  - CVE-2020-8617     It was discovered that a logic error in the code which     checks TSIG validity can be used to trigger an assertion     failure, resulting in denial of service.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1845 advisory.

  - bind: TCP Pipelining doesn't limit TCP clients on a single connection (CVE-2019-6477)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

* bind: TCP Pipelining doesn't limit TCP clients on a single connection * bind: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using managed-keys * bind:
Controls for zone transfers may not be properly applied to DLZs if the zones are writable

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1061 advisory.

  - bind: An assertion failure if a trust anchor rolls over     to an unsupported key algorithm when using managed-keys     (CVE-2018-5745)

  - bind: Controls for zone transfers may not be properly     applied to DLZs if the zones are writable     (CVE-2019-6465)

  - bind: TCP Pipelining doesn't limit TCP clients on a     single connection (CVE-2019-6477)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the bind packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A programming error in the nxdomain-redirect feature     can cause an assertion failure in query.c if the     alternate namespace used by nxdomain-redirect is a     descendant of a zone that is served locally. The most     likely scenario where this might occur is if the     server, in addition to performing NXDOMAIN redirection     for recursive clients, is also serving a local copy of     the root zone or using mirroring to provide the root     zone, although other configurations are also possible.
    Versions affected: BIND 9.12.0-> 9.12.4, 9.14.0. Also     affects all releases in the 9.13 development     branch.(CVE-2019-6467)

  - With pipelining enabled each incoming query on a TCP     connection requires a similar resource allocation to a     query received via UDP or via TCP without pipelining     enabled. A client using a TCP-pipelined connection to a     server could consume more resources than the server has     been provisioned to handle. When a TCP connection with     a large number of pipelined queries is closed, the load     on the server releasing these multiple resources can     cause it to become unresponsive, even for queries that     can be answered authoritatively or from cache. (This is     most likely to be perceived as an intermittent server     problem).(CVE-2019-6477)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1061 advisory.

  - bind: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using     managed-keys (CVE-2018-5745)

  - bind: Controls for zone transfers may not be properly applied to DLZs if the zones are writable     (CVE-2019-6465)

  - bind: TCP Pipelining doesn't limit TCP clients on a single connection (CVE-2019-6477)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the bind packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - With pipelining enabled each incoming query on a TCP     connection requires a similar resource allocation to a     query received via UDP or via TCP without pipelining     enabled. A client using a TCP-pipelined connection to a     server could consume more resources than the server has     been provisioned to handle. When a TCP connection with     a large number of pipelined queries is closed, the load     on the server releasing these multiple resources can     cause it to become unresponsive, even for queries that     can be answered authoritatively or from cache. (This is     most likely to be perceived as an intermittent server     problem).(CVE-2019-6477)

  - A programming error in the nxdomain-redirect feature     can cause an assertion failure in query.c if the     alternate namespace used by nxdomain-redirect is a     descendant of a zone that is served locally. The most     likely scenario where this might occur is if the     server, in addition to performing NXDOMAIN redirection     for recursive clients, is also serving a local copy of     the root zone or using mirroring to provide the root     zone, although other configurations are also possible.
    Versions affected: BIND 9.12.0-> 9.12.4, 9.14.0. Also     affects all releases in the 9.13 development     branch.(CVE-2019-6467)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem). (CVE-2019-6477)

Impact

An attacker may be able to use TCP-pipelined queries to increase the load on the system, causing it to become unresponsive.

New minor release with fix for latest CVE

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A denial of service (DoS) vulnerability exists in ISC BIND 9 due to TCP Client issues. An unauthenticated, remote attacker can exploit this issue, via DNS Request, to cause the device to stop responding.

New [minor release](https://downloads.isc.org/isc/bind9/9.11.13/RELEASE-NOTES-bin d-9.11.13.html) with fix for latest CVE.

Includes TCP high-water in rndc status.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that Bind incorrectly handled certain TCP-pipelined queries. A remote attacker could possibly use this issue to cause Bind to consume resources, resulting in a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New bind packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix a security issue.

ID	Name	Product	Family	Severity
180987	Oracle Linux 8 : bind (ELSA-2020-1845)	Nessus	Oracle Linux Local Security Checks	high
180700	Oracle Linux 7 : bind (ELSA-2020-1061)	Nessus	Oracle Linux Local Security Checks	medium
164612	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.17.1)	Nessus	Misc.	critical
164595	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.18)	Nessus	Misc.	critical
144003	NewStart CGSL CORE 5.05 / MAIN 5.05 : bind Multiple Vulnerabilities (NS-SA-2020-0095)	Nessus	NewStart CGSL Local Security Checks	medium
143897	NewStart CGSL CORE 5.04 / MAIN 5.04 : bind Multiple Vulnerabilities (NS-SA-2020-0063)	Nessus	NewStart CGSL Local Security Checks	medium
143842	SUSE SLED15 / SLES15 Security Update : bind (SUSE-SU-2020:2914-1)	Nessus	SuSE Local Security Checks	medium
141839	openSUSE Security Update : bind (openSUSE-2020-1701)	Nessus	SuSE Local Security Checks	medium
141560	openSUSE Security Update : bind (openSUSE-2020-1699)	Nessus	SuSE Local Security Checks	medium
138773	NewStart CGSL MAIN 6.01 : bind Multiple Vulnerabilities (NS-SA-2020-0031)	Nessus	NewStart CGSL Local Security Checks	high
138043	Amazon Linux 2 : bind (ALAS-2020-1441)	Nessus	Amazon Linux Local Security Checks	medium
136721	Debian DSA-4689-1 : bind9 - security update	Nessus	Debian Local Security Checks	high
136043	RHEL 8 : bind (RHSA-2020:1845)	Nessus	Red Hat Local Security Checks	high
135801	Scientific Linux Security Update : bind on SL7.x x86_64 (20200407)	Nessus	Scientific Linux Local Security Checks	medium
135328	CentOS 7 : bind (CESA-2020:1061)	Nessus	CentOS Local Security Checks	medium
135142	EulerOS Virtualization for ARM 64 3.0.6.0 : bind (EulerOS-SA-2020-1355)	Nessus	Huawei Local Security Checks	high
135069	RHEL 7 : bind (RHSA-2020:1061)	Nessus	Red Hat Local Security Checks	medium
133975	EulerOS 2.0 SP8 : bind (EulerOS-SA-2020-1141)	Nessus	Huawei Local Security Checks	high
133625	F5 Networks BIG-IP : BIND vulnerability (K15840535)	Nessus	F5 Networks Local Security Checks	high
132030	Fedora 30 : 12:dhcp / 32:bind / bind-dyndb-ldap / dnsperf (2019-c703d2304a)	Nessus	Fedora Local Security Checks	high
131735	ISC BIND 9.11.0 / 9.11.x < 9.11.13 / 9.11.x < 9.11.13-S1 / 9.12.x < 9.12.5-P2 / 9.14.x < 9.14.8 / 9.15 / 9.15.x < 9.15.6 Vulnerability	Nessus	DNS	high
131450	Fedora 31 : 32:bind / bind-dyndb-ldap / dnsperf (2019-73a8737068)	Nessus	Fedora Local Security Checks	high
131225	Ubuntu 18.04 LTS : Bind vulnerability (USN-4197-1)	Nessus	Ubuntu Local Security Checks	high
131178	Slackware 14.0 / 14.1 / 14.2 / current : bind (SSA:2019-324-01)	Nessus	Slackware Local Security Checks	high

Detections

Analytics

CVE-2019-6477

high

Tenable Plugins

high

medium

critical

critical

medium

medium

medium

medium

medium

high

medium

high

high

medium

medium

high

medium

high

high

high

high

high

high

high