ISC BIND up to 9.11.12/9.12.4-P2/9.14.7/9.15.5 TCP Connection denial of service
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.9 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, has been found in ISC BIND up to 9.11.12/9.12.4-P2/9.14.7/9.15.5. This impacts an unknown function. The manipulation as part of TCP Connection leads to denial of service. This vulnerability is documented as CVE-2019-6477. The attack can be initiated remotely. There is not any exploit available. It is advisable to upgrade the affected component.
Details
A vulnerability, which was classified as problematic, has been found in ISC BIND up to 9.11.12/9.12.4-P2/9.14.7/9.15.5 (Domain Name Software). This issue affects an unknown functionality. The manipulation as part of a TCP Connection leads to a denial of service vulnerability. Using CWE to declare the problem leads to CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. Impacted is availability. The summary by CVE is:
With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).
The weakness was released 11/26/2019 (Website). The advisory is shared at kb.isc.org. The public release was coordinated with ISC. The identification of this vulnerability is CVE-2019-6477 since 01/16/2019. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1499 for this issue. The advisory points out:
By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The update to this functionality introduced by CVE-2018-5743 changed how BIND calculates the number of concurrent TCP clients from counting the outstanding TCP queries to counting the TCP client connections. On a server with TCP-pipelining capability, it is possible for one TCP client to send a large number of DNS requests over a single connection. Each outstanding query will be handled internally as an independent client request, thus bypassing the new TCP clients limit.
The advisory illustrates:
With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).
Upgrading to version 9.11.13, 9.14.8 or 9.15.6 eliminates this vulnerability. It is possible to mitigate the problem by applying the configuration setting keep-response-order { any; };. The best possible mitigation is suggested to be upgrading to the latest version.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Vendor
Name
Version
- 9.11.0
- 9.11.1
- 9.11.2
- 9.11.3
- 9.11.4
- 9.11.5
- 9.11.6
- 9.11.7
- 9.11.8
- 9.11.9
- 9.11.10
- 9.11.11
- 9.11.12
- 9.12.4-P2
- 9.14.0
- 9.14.1
- 9.14.2
- 9.14.3
- 9.14.4
- 9.14.5
- 9.14.6
- 9.14.7
- 9.15.0
- 9.15.1
- 9.15.2
- 9.15.3
- 9.15.4
- 9.15.5
License
Website
- Vendor: https://www.isc.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.9VulDB Meta Temp Score: 6.9
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
Vendor Base Score (ISC): 7.5
Vendor Vector (ISC): 🔍
NVD Base Score: 7.5
NVD Vector: 🔍
CNA Base Score: 7.5
CNA Vector (Internet Systems Consortium (ISC)): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Denial of serviceCWE: CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: BIND 9.11.13/9.14.8/9.15.6
Config: keep-response-order { any; };
Timeline
01/16/2019 🔍11/26/2019 🔍
11/27/2019 🔍
02/28/2024 🔍
Sources
Vendor: isc.orgAdvisory: K15840535
Status: Confirmed
Coordinated: 🔍
CVE: CVE-2019-6477 (🔍)
GCVE (CVE): GCVE-0-2019-6477
GCVE (VulDB): GCVE-100-146441
Entry
Created: 11/27/2019 08:59Updated: 02/28/2024 15:31
Changes: 11/27/2019 08:59 (52), 11/27/2019 09:04 (12), 02/28/2024 15:26 (3), 02/28/2024 15:31 (19)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.