CERT/CC Vulnerability Note VU#784855

Overview

A flaw exists in BIND 9.7.2 through 9.7.2-P1 pertaining to how an ACL is applied.

Description

There is a flaw in BIND 9.7.2 through 9.7.2-P1 where the wrong ACL is applied. This flaw could allow access to a cache via recursion even though the ACL disallowed it. This bug is primarily a risk to operators running both authoritative and recursive DNS on the same BIND server in the same view.

Impact

A loss of confidentiality in cache data exists.

Solution

Upgrade to BIND 9.7.2-P2

Vendor Information

784855

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Internet Systems Consortium Affected

Notified: September 28, 2010 Updated: September 30, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

This document was written by Jared Allar.

Other Information

CVE IDs:	CVE-2010-0218
Severity Metric:	0.01
Date Public:	2010-09-28
Date First Published:	2010-09-30
Date Last Updated:	2010-09-30 13:49 UTC
Document Revision:	8

Software Engineering Institute

CERT Coordination Center

Unexpected ACL Behavior in BIND 9.7.2

Vulnerability Note VU#784855

Overview

Description

Impact

Solution

Vendor Information

Internet Systems Consortium Affected

Status

Vendor Statement

Vendor Information

Vendor References

CVSS Metrics

References

Acknowledgements

Other Information

Contact CERT/CC