search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ISC BIND does not correctly set default access controls

Vulnerability Note VU#187297

Original Release Date: 2007-07-27 | Last Revised: 2008-06-04

Overview

ISC (Internet Systems Consortiuim) BIND fails to properly set default access control lists. This may allow unauthorized users to make recursive querries and querry the cache.

Description

From the ISC BIND security page:

The default access control lists (acls) are not being correctly set. If not set anyone can make recursive queries and/or query the cache contents.

Note that the BIND advisory lists BIND 9.4.0, 9.4.1, 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, and 9.5.0a5 as the versions affected.

Impact

A remote, unauthenticated attacker may be able to cause a vulnerable DNS server perform recursion. This could be used to perform denial-of-service attacks. An attacker may also be able to querry the cache.

Solution

Upgrade or Patch
This issue is addressed in ISC BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6. Users who obtain BIND from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors.


Workarounds for administrators of non-publicly accessisble recursive DNS servers

    • Using firewall rules, limit access to the DNS server to authorized networks.
Workarounds for administrators of publicly accessisble recursive DNS servers
    • Rate limiting the number of external recursion requests may mitigate potential abuse of the DNS server.

Vendor Information

187297
 

View all 39 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to ISC for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2007-2925
Severity Metric: 16.98
Date Public: 2007-07-24
Date First Published: 2007-07-27
Date Last Updated: 2008-06-04 21:39 UTC
Document Revision: 26

Sponsored by CISA.