CVE-2019-6477 in BIND
Summary
by MITRE
With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/28/2024
The vulnerability described in CVE-2019-6477 represents a resource exhaustion issue within DNS server implementations that utilize TCP pipelining functionality. This flaw specifically affects DNS servers that support pipelined TCP queries, where multiple DNS requests can be sent over a single TCP connection without waiting for individual responses. The vulnerability stems from the server's handling of resource allocation and deallocation processes when processing pipelined queries, creating a potential denial of service condition that can severely impact server availability and performance.
The technical implementation of this vulnerability involves the server's resource management mechanisms during TCP connection handling with pipelining enabled. When a client establishes a TCP connection and sends multiple queries in rapid succession, the server allocates resources for each query as it processes them. However, when the connection is closed, the server must release all resources associated with the multiple pipelined queries simultaneously. This sudden resource deallocation process can overwhelm the server's system resources and processing capabilities, leading to temporary or extended periods of unresponsiveness.
This vulnerability directly maps to CWE-400, which describes "Uncontrolled Resource Consumption" in software systems. The flaw demonstrates how a legitimate protocol feature can be exploited to create resource exhaustion conditions that affect system availability. The operational impact extends beyond simple service disruption, as the server may become unresponsive to both pipelined queries and regular DNS lookups that should be handled from cache or authoritative data, creating a cascading effect on DNS resolution services.
The attack scenario typically involves a malicious or compromised client that establishes a TCP connection to a DNS server and sends a large number of pipelined queries. The attacker can then close the connection abruptly, triggering the resource release process that overwhelms the server. This type of attack aligns with ATT&CK technique T1499.004, which covers "Endpoint Denial of Service," and specifically targets the availability aspect of the confidentiality-integrity-availability (CIA) triad. The intermittent nature of the problem makes it particularly challenging to detect and diagnose, as it may appear as random server performance issues rather than a clear malicious attack pattern.
Mitigation strategies for this vulnerability include implementing connection rate limiting, setting maximum pipelined query limits per connection, and configuring proper resource allocation thresholds. Administrators should consider disabling TCP pipelining if it is not essential for their environment, or implementing robust monitoring to detect unusual resource consumption patterns. Additionally, servers should be configured with adequate resource provisioning to handle peak loads, and network-level rate limiting can help prevent single clients from overwhelming server resources through excessive pipelined queries. The vulnerability highlights the importance of proper resource management in network services and demonstrates how protocol features designed for performance optimization can become security risks when not properly constrained.