Overview
A vulnerability exists in the BIND 9 DNSSEC validation code that could be used by an attacker to generate fake NXDOMAIN responses.
Description
BIND 9 contains a vulnerability in DNSSEC validation code. According to ISC: This issue affects BIND versions 9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 -> 9.4.3-P4, 9.5.0 -> 9.5.2-P1, 9.6.0 -> 9.6.1-P2 |
Impact
An attacker may be able to add fake NXDOMAIN records to a resolver's cache. |
Solution
Upgrade BIND to version 9.4.3-P5, 9.5.2-P2 or 9.6.1-P3. |
Vendor Information
Fedora Project Affected
Notified: January 15, 2010 Updated: January 27, 2010
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Fedora has published more information regarding this issue:
http://lists.fedoraproject.org/pipermail/package-announce/2010-January/034196.html
Internet Systems Consortium Affected
Notified: January 15, 2010 Updated: January 19, 2010
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Please see https://www.isc.org/advisories/CVE-2010-0097 for more information regarding the vulnerability.
Red Hat, Inc. Affected
Notified: January 15, 2010 Updated: January 27, 2010
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Red Hat has published more information regarding this issue:
Sun Microsystems, Inc. Affected
Notified: January 15, 2010 Updated: January 27, 2010
Statement Date: January 21, 2010
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Please see the following document for more information:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-275890-1
The SCO Group Affected
Notified: January 15, 2010 Updated: January 27, 2010
Statement Date: January 18, 2010
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Ubuntu Affected
Notified: January 15, 2010 Updated: January 27, 2010
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Ubuntu has published more information regarding this issue:
Alcatel-Lucent Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Apple Inc. Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
BlueCat Networks, Inc. Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Check Point Software Technologies Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Conectiva Inc. Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Cray Inc. Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Debian GNU/Linux Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
DragonFly BSD Project Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
EMC Corporation Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Engarde Secure Linux Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Ericsson Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
F5 Networks, Inc. Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
FreeBSD Project Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Fujitsu Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
GNU glibc Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Gentoo Linux Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Gnu ADNS Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Hewlett-Packard Company Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Hitachi Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM Corporation Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM Corporation (zseries) Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM eServer Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Infoblox Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Juniper Networks, Inc. Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Mandriva S. A. Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
McAfee Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Men & Mice Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Microsoft Corporation Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
MontaVista Software, Inc. Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NEC Corporation Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NetBSD Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Nokia Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Nominum Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Nortel Networks, Inc. Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Novell, Inc. Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
OpenBSD Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Openwall GNU/*/Linux Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
QNX Software Systems Inc. Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
SUSE Linux Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
SafeNet Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Shadowsupport Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Silicon Graphics, Inc. Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Slackware Linux Inc. Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Sony Corporation Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Turbolinux Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Unisys Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Wind River Systems, Inc. Unknown
Notified: January 15, 2010 Updated: January 14, 2010
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This issue was reported by ISC.
This document was written by David Warren.
Other Information
| CVE IDs: | CVE-2010-0097 |
| Date Public: | 2010-01-19 |
| Date First Published: | 2010-01-19 |
| Date Last Updated: | 2010-01-27 19:37 UTC |
| Document Revision: | 13 |