cnvd - cnvd-2019-46783

cnvd-2019-46783

Vulnerability from cnvd

Title: BIND存在逻辑缺陷漏洞

Description:

BIND是美国ISC公司的一套实现了DNS协议的开源软件。

BIND存在逻辑缺陷漏洞，攻击者可通过TCP-pipelined查询利用该漏洞绕过TCP连接数量限制，导致拒绝服务。

Severity: 中

Patch Name: BIND存在逻辑缺陷漏洞的补丁

Patch Description:

BIND是美国ISC公司的一套实现了DNS协议的开源软件。

BIND存在逻辑缺陷漏洞，攻击者可通过TCP-pipelined查询利用该漏洞绕过TCP连接数量限制，导致拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.isc.org/pipermail/bind-announce/2019-November/001142.html

Impacted products

Name
['ISC BIND >=9.11.6-P1，<=9.11.12', 'ISC BIND >=9.12.4-P1，<=9.12.4-P2', 'ISC BIND >=9.14.1，<=9.14.7', 'ISC BIND >=9.11.5-S6，<=9.11.12-S1', 'ISC BIND >=9.15.0，<=9.15.5']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-6477"
    }
  },
  "description": "BIND\u662f\u7f8e\u56fdISC\u516c\u53f8\u7684\u4e00\u5957\u5b9e\u73b0\u4e86DNS\u534f\u8bae\u7684\u5f00\u6e90\u8f6f\u4ef6\u3002\n\nBIND\u5b58\u5728\u903b\u8f91\u7f3a\u9677\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7TCP-pipelined\u67e5\u8be2\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7TCP\u8fde\u63a5\u6570\u91cf\u9650\u5236\uff0c\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "discovererName": "\u817e\u8baf\u5b89\u5168\u4e91\u9f0e\u5b9e\u9a8c\u5ba4",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.isc.org/pipermail/bind-announce/2019-November/001142.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-46783",
  "openTime": "2020-01-05",
  "patchDescription": "BIND\u662f\u7f8e\u56fdISC\u516c\u53f8\u7684\u4e00\u5957\u5b9e\u73b0\u4e86DNS\u534f\u8bae\u7684\u5f00\u6e90\u8f6f\u4ef6\u3002\r\n\r\nBIND\u5b58\u5728\u903b\u8f91\u7f3a\u9677\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7TCP-pipelined\u67e5\u8be2\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7TCP\u8fde\u63a5\u6570\u91cf\u9650\u5236\uff0c\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "BIND\u5b58\u5728\u903b\u8f91\u7f3a\u9677\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "ISC BIND \u003e=9.11.6-P1\uff0c\u003c=9.11.12",
      "ISC BIND \u003e=9.12.4-P1\uff0c\u003c=9.12.4-P2",
      "ISC BIND \u003e=9.14.1\uff0c\u003c=9.14.7",
      "ISC BIND \u003e=9.11.5-S6\uff0c\u003c=9.11.12-S1",
      "ISC BIND \u003e=9.15.0\uff0c\u003c=9.15.5"
    ]
  },
  "serverity": "\u4e2d",
  "submitTime": "2019-11-21",
  "title": "BIND\u5b58\u5728\u903b\u8f91\u7f3a\u9677\u6f0f\u6d1e"
}

CVE-2019-6477 (GCVE-0-2019-6477)

Vulnerability from cvelistv5

Published

2019-11-26 16:11

Modified

2024-09-16 16:47

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The update to this functionality introduced by CVE-2018-5743 changed how BIND calculates the number of concurrent TCP clients from counting the outstanding TCP queries to counting the TCP client connections. On a server with TCP-pipelining capability, it is possible for one TCP client to send a large number of DNS requests over a single connection. Each outstanding query will be handled internally as an independent client request, thus bypassing the new TCP clients limit. 9.11.6-P1 -> 9.11.12, 9.12.4-P1 -> 9.12.4-P2, 9.14.1 -> 9.14.7, and versions 9.11.5-S6 -> 9.11.12-S1 of BIND 9 Supported Preview Edition. Versions 9.15.0 -> 9.15.5 of the BIND 9.15 development branch are also affected.

Summary

With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).

References

▼	URL	Tags
	https://kb.isc.org/docs/cve-2019-6477	x_refsource_CONFIRM
	https://www.synology.com/security/advisory/Synology_SA_19_39	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGURMGQHX45KR4QDRCSUQHODUFOGNGAN/	vendor-advisory, x_refsource_FEDORA
	https://support.f5.com/csp/article/K15840535?utm_source=f5support&amp%3Butm_medium=RSS	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3DEMNZMKR57VQJCG5ZN55ZGTQRL2TFQ/	vendor-advisory, x_refsource_FEDORA
	https://www.debian.org/security/2020/dsa-4689	vendor-advisory, x_refsource_DEBIAN
	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html	vendor-advisory, x_refsource_SUSE

Impacted products

	Vendor	Product	Version
	ISC	BIND9	Version: 9.11.6-P1 -> 9.11.12, 9.12.4-P1 -> 9.12.4-P2, 9.14.1 -> 9.14.7, and versions 9.11.5-S6 -> 9.11.12-S1 of BIND 9 Supported Preview Edition. Versions 9.15.0 -> 9.15.5 of the BIND 9.15 development branch are also affected

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T20:23:21.464Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kb.isc.org/docs/cve-2019-6477"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.synology.com/security/advisory/Synology_SA_19_39"
          },
          {
            "name": "FEDORA-2019-73a8737068",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGURMGQHX45KR4QDRCSUQHODUFOGNGAN/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.f5.com/csp/article/K15840535?utm_source=f5support\u0026amp%3Butm_medium=RSS"
          },
          {
            "name": "FEDORA-2019-c703d2304a",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3DEMNZMKR57VQJCG5ZN55ZGTQRL2TFQ/"
          },
          {
            "name": "DSA-4689",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4689"
          },
          {
            "name": "openSUSE-SU-2020:1699",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html"
          },
          {
            "name": "openSUSE-SU-2020:1701",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "BIND9",
          "vendor": "ISC",
          "versions": [
            {
              "status": "affected",
              "version": "9.11.6-P1 -\u003e 9.11.12, 9.12.4-P1 -\u003e 9.12.4-P2, 9.14.1 -\u003e 9.14.7, and versions 9.11.5-S6 -\u003e 9.11.12-S1 of BIND 9 Supported Preview Edition. Versions 9.15.0 -\u003e 9.15.5 of the BIND 9.15 development branch are also affected"
            }
          ]
        }
      ],
      "datePublic": "2019-11-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The update to this functionality introduced by CVE-2018-5743 changed how BIND calculates the number of concurrent TCP clients from counting the outstanding TCP queries to counting the TCP client connections. On a server with TCP-pipelining capability, it is possible for one TCP client to send a large number of DNS requests over a single connection. Each outstanding query will be handled internally as an independent client request, thus bypassing the new TCP clients limit.  9.11.6-P1 -\u003e 9.11.12, 9.12.4-P1 -\u003e 9.12.4-P2, 9.14.1 -\u003e 9.14.7, and versions 9.11.5-S6 -\u003e 9.11.12-S1 of BIND 9 Supported Preview Edition. Versions 9.15.0 -\u003e 9.15.5 of the BIND 9.15 development branch are also affected.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-10-20T11:06:38",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kb.isc.org/docs/cve-2019-6477"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.synology.com/security/advisory/Synology_SA_19_39"
        },
        {
          "name": "FEDORA-2019-73a8737068",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGURMGQHX45KR4QDRCSUQHODUFOGNGAN/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.f5.com/csp/article/K15840535?utm_source=f5support\u0026amp%3Butm_medium=RSS"
        },
        {
          "name": "FEDORA-2019-c703d2304a",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3DEMNZMKR57VQJCG5ZN55ZGTQRL2TFQ/"
        },
        {
          "name": "DSA-4689",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4689"
        },
        {
          "name": "openSUSE-SU-2020:1699",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html"
        },
        {
          "name": "openSUSE-SU-2020:1701",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND:\n\n    BIND 9.11.13\n    BIND 9.14.8\n    BIND 9.15.6\n\nBIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.\n\n    BIND 9.11.13-S1\n\nNote that the fix for CVE-2019-6477 addresses only the server memory leak issue. TCP-pipelining may still malfunction by dropping some responses on a TCP connection where a client query pattern generates excessive outstanding queries, but the malfunction will affect that TCP connection alone and will not cause any degradation of service to other clients. An affected client connection might also appear to hang, but will clear when either the client or the server initiates a close or reset and will not remain in that state indefinitely.\n\nDisabling TCP-pipelining entirely is completely effective at mitigating the vulnerability with minimal impact to clients that use pipelined TCP connections and with no impact to clients that do not support TCP-pipelining.\n\nThe majority of Internet client DNS queries are transported over UDP or TCP without use of TCP-pipelining."
        }
      ],
      "source": {
        "discovery": "USER"
      },
      "title": "TCP-pipelined queries can bypass tcp-clients limit",
      "workarounds": [
        {
          "lang": "en",
          "value": "The vulnerability can be avoided by disabling server TCP-pipelining:\n    keep-response-order { any; };\nand then restarting BIND. The server restart is necessary because neither a \u0027reload\u0027 nor a \u0027reconfig\u0027 operation will properly reset currently pipelining TCP clients."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-officer@isc.org",
          "DATE_PUBLIC": "2019-11-20T19:49:00.000Z",
          "ID": "CVE-2019-6477",
          "STATE": "PUBLIC",
          "TITLE": "TCP-pipelined queries can bypass tcp-clients limit"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "BIND9",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "9.11.6-P1 -\u003e 9.11.12, 9.12.4-P1 -\u003e 9.12.4-P2, 9.14.1 -\u003e 9.14.7, and versions 9.11.5-S6 -\u003e 9.11.12-S1 of BIND 9 Supported Preview Edition. Versions 9.15.0 -\u003e 9.15.5 of the BIND 9.15 development branch are also affected"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ISC"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem)."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The update to this functionality introduced by CVE-2018-5743 changed how BIND calculates the number of concurrent TCP clients from counting the outstanding TCP queries to counting the TCP client connections. On a server with TCP-pipelining capability, it is possible for one TCP client to send a large number of DNS requests over a single connection. Each outstanding query will be handled internally as an independent client request, thus bypassing the new TCP clients limit.  9.11.6-P1 -\u003e 9.11.12, 9.12.4-P1 -\u003e 9.12.4-P2, 9.14.1 -\u003e 9.14.7, and versions 9.11.5-S6 -\u003e 9.11.12-S1 of BIND 9 Supported Preview Edition. Versions 9.15.0 -\u003e 9.15.5 of the BIND 9.15 development branch are also affected."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kb.isc.org/docs/cve-2019-6477",
              "refsource": "CONFIRM",
              "url": "https://kb.isc.org/docs/cve-2019-6477"
            },
            {
              "name": "https://www.synology.com/security/advisory/Synology_SA_19_39",
              "refsource": "CONFIRM",
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_39"
            },
            {
              "name": "FEDORA-2019-73a8737068",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XGURMGQHX45KR4QDRCSUQHODUFOGNGAN/"
            },
            {
              "name": "https://support.f5.com/csp/article/K15840535?utm_source=f5support\u0026amp;utm_medium=RSS",
              "refsource": "CONFIRM",
              "url": "https://support.f5.com/csp/article/K15840535?utm_source=f5support\u0026amp;utm_medium=RSS"
            },
            {
              "name": "FEDORA-2019-c703d2304a",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3DEMNZMKR57VQJCG5ZN55ZGTQRL2TFQ/"
            },
            {
              "name": "DSA-4689",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4689"
            },
            {
              "name": "openSUSE-SU-2020:1699",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html"
            },
            {
              "name": "openSUSE-SU-2020:1701",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Upgrade to the patched release most closely related to your current version of BIND:\n\n    BIND 9.11.13\n    BIND 9.14.8\n    BIND 9.15.6\n\nBIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.\n\n    BIND 9.11.13-S1\n\nNote that the fix for CVE-2019-6477 addresses only the server memory leak issue. TCP-pipelining may still malfunction by dropping some responses on a TCP connection where a client query pattern generates excessive outstanding queries, but the malfunction will affect that TCP connection alone and will not cause any degradation of service to other clients. An affected client connection might also appear to hang, but will clear when either the client or the server initiates a close or reset and will not remain in that state indefinitely.\n\nDisabling TCP-pipelining entirely is completely effective at mitigating the vulnerability with minimal impact to clients that use pipelined TCP connections and with no impact to clients that do not support TCP-pipelining.\n\nThe majority of Internet client DNS queries are transported over UDP or TCP without use of TCP-pipelining."
          }
        ],
        "source": {
          "discovery": "USER"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "The vulnerability can be avoided by disabling server TCP-pipelining:\n    keep-response-order { any; };\nand then restarting BIND. The server restart is necessary because neither a \u0027reload\u0027 nor a \u0027reconfig\u0027 operation will properly reset currently pipelining TCP clients."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2019-6477",
    "datePublished": "2019-11-26T16:11:16.500185Z",
    "dateReserved": "2019-01-16T00:00:00",
    "dateUpdated": "2024-09-16T16:47:45.899Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted