CVE-2010-0097 in Mac OS Xinfo

Summary

by MITRE

ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta does not properly validate DNSSEC (1) NSEC and (2) NSEC3 records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/11/2025

The vulnerability described in CVE-2010-0097 represents a critical flaw in the Internet Systems Consortium BIND DNS server software that affects versions ranging from 9.0.x through 9.3.x, as well as specific patched releases in the 9.4.x, 9.5.x, and 9.6.x series. This vulnerability stems from inadequate validation mechanisms within the DNS Security Extensions (DNSSEC) implementation, specifically targeting the handling of NSEC and NSEC3 records. The flaw allows remote attackers to manipulate DNS responses in a manner that could compromise the integrity of DNS security measures and potentially enable cache poisoning attacks.

The technical root cause of this vulnerability lies in the improper validation of DNSSEC records within the BIND server implementation. When processing DNS queries, the server fails to adequately verify the authenticity of NSEC (Next Secure) and NSEC3 (Next Secure 3) records that are used to prove the non-existence of domain names. These records are fundamental to DNSSEC's ability to provide authenticated denial of existence, which should prevent attackers from creating false NXDOMAIN responses that appear legitimate to clients. The vulnerability specifically enables attackers to manipulate the Authenticated Data (AD) flag in forged NXDOMAIN responses, making them appear as if they were properly authenticated by the DNS server.

This flaw has significant operational impact on DNS infrastructure security, as it undermines the core principle of DNSSEC validation that should prevent attackers from creating convincing false responses. When an attacker can successfully add the AD flag to a forged NXDOMAIN response, they effectively bypass DNSSEC validation mechanisms that are designed to ensure the authenticity and integrity of DNS data. This vulnerability can be exploited to perform cache poisoning attacks against DNS resolvers that rely on DNSSEC validation, potentially redirecting traffic to malicious servers or enabling man-in-the-middle attacks. The attack vector requires remote access to the vulnerable DNS server and can be executed without authentication, making it particularly dangerous for public-facing DNS infrastructure.

The vulnerability maps to CWE-20, "Improper Input Validation," within the Common Weakness Enumeration framework, as it involves insufficient validation of DNSSEC records during processing. From an ATT&CK perspective, this vulnerability aligns with T1071.004, "Application Layer Protocol: DNS," and T1499.004, "Endpoint Denial of Service," as it enables attackers to manipulate DNS responses and potentially cause service disruption. The impact extends beyond simple cache poisoning to potentially enable more sophisticated attacks such as DNS tunneling or data exfiltration through manipulated DNS responses. Organizations running vulnerable BIND versions should immediately implement patches from ISC releases 9.4.3-P5, 9.5.2-P2, and 9.6.1-P3, which contain the necessary fixes for DNSSEC record validation. Additionally, network administrators should monitor DNS traffic for anomalous patterns and implement proper DNSSEC validation monitoring to detect potential exploitation attempts. The vulnerability underscores the critical importance of keeping DNS infrastructure updated and maintaining proper security monitoring procedures to prevent exploitation of DNSSEC implementation flaws that could compromise entire network infrastructures.

Reservation

12/30/2009

Disclosure

01/22/2010

Moderation

accepted

Entry

VDB-4426

CPE

ready

EPSS

0.09363

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!