| VID |
19018 |
| Severity |
30 |
| Port |
53 |
| Protocol |
UDP |
| Class |
DNS |
| Detailed Description |
The BIND daemon, according to its version number, has a denial of service vulnerability in the 'authvalidator()' function. ISC BIND (Berkeley Internet Name Daemon) is a server utility that implements the DNS (domain name service) protocol. It is widely used on the Internet. BIND version 9.3.0 is vulnerable to a denial of service attack, due to a logic error in the validator implemented in the 'authvalidator()' function. A remote attacker may exploit this vulnerability to cause the affected server to crash, denying service to legitimate users, when DNSSEC validation (which is off by default) is enabled.
* Note: This check solely relied on the version number of the remote BIND server to assess this vulnerability, so this might be a false positive.
* References:
http://www.isc.org/index.pl?/sw/bind/bind-security.php
http://www.kb.cert.org/vuls/id/938617
http://www.niscc.gov.uk/niscc/docs/al-20050125-00060.html?lang=en
* Platforms Affected:
ISC BIND 9.3.0
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of ISC BIND (9.3.1 or later), available from the Internet Software Consortium (ISC) Web site at http://www.isc.org/index.pl?/sw/bind/
ISC recommends that users that are unable to apply the patch turn off dnssec validation (which is off by default) at the options/view level.
The relevant BIND configuration directive is:
dnssec-enable no; |
| Related URL |
CVE-2005-0034 (CVE) |
| Related URL |
12365 (SecurityFocus) |
| Related URL |
(ISS) |
|
