CVE-2007-2925 - OpenCVE

The default access control lists (ACL) in ISC BIND 9.4.0, 9.4.1, and 9.5.0a1 through 9.5.0a5 do not set the allow-recursion and allow-query-cache ACLs, which allows remote attackers to make recursive queries and query the cache.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Isc	Bind

Configuration 1 [-]

OR	cpe:2.3:a:isc:bind:9.4.0:::::::*
	cpe:2.3:a:isc:bind:9.4.1:::::::*
	cpe:2.3:a:isc:bind:9.5.0:::::::*

References

Link	Resource
http://secunia.com/advisories/26227
http://secunia.com/advisories/26236
http://secunia.com/advisories/26509
http://secunia.com/advisories/26515
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=623903
http://www.gentoo.org/security/en/glsa/glsa-200708-13.xml
http://www.isc.org/index.pl?/sw/bind/bind-security.php
http://www.mandriva.com/security/advisories?name=MDKSA-2007:149
http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.022.html
http://www.securityfocus.com/bid/25076
http://www.securitytracker.com/id?1018441
http://www.slackware.org/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.521385
http://www.vupen.com/english/advisories/2007/2628
http://www.vupen.com/english/advisories/2007/2914
https://exchange.xforce.ibmcloud.com/vulnerabilities/35571

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: certcc

Published: 2007-07-24T17:00:00

Updated: 2017-07-28T12:57:01

Reserved: 2007-05-30T00:00:00

Link: CVE-2007-2925

JSON object: View

NVD Information

Status : Modified

Published: 2007-07-24T17:30:00.000

Modified: 2018-10-30T16:27:02.233

Link: CVE-2007-2925

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-07-24T00:00:00", "descriptions": [{"lang": "en", "value": "The default access control lists (ACL) in ISC BIND 9.4.0, 9.4.1, and 9.5.0a1 through 9.5.0a5 do not set the allow-recursion and allow-query-cache ACLs, which allows remote attackers to make recursive queries and query the cache."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-28T12:57:01", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"name": "25076", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/25076"}, {"name": "ADV-2007-2914", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/2914"}, {"name": "1018441", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1018441"}, {"name": "ADV-2007-2628", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/2628"}, {"name": "26509", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/26509"}, {"name": "MDKSA-2007:149", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:149"}, {"name": "isc-bind-acl-security-bypass(35571)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35571"}, {"name": "GLSA-200708-13", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://www.gentoo.org/security/en/glsa/glsa-200708-13.xml"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=623903"}, {"name": "SSA:2007-207-01", "tags": ["vendor-advisory", "x_refsource_SLACKWARE"], "url": "http://www.slackware.org/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.521385"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.isc.org/index.pl?/sw/bind/bind-security.php"}, {"name": "26227", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/26227"}, {"name": "26515", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/26515"}, {"name": "26236", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/26236"}, {"name": "OpenPKG-SA-2007.022", "tags": ["vendor-advisory", "x_refsource_OPENPKG"], "url": "http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2007-2925", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The default access control lists (ACL) in ISC BIND 9.4.0, 9.4.1, and 9.5.0a1 through 9.5.0a5 do not set the allow-recursion and allow-query-cache ACLs, which allows remote attackers to make recursive queries and query the cache."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "25076", "refsource": "BID", "url": "http://www.securityfocus.com/bid/25076"}, {"name": "ADV-2007-2914", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/2914"}, {"name": "1018441", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1018441"}, {"name": "ADV-2007-2628", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/2628"}, {"name": "26509", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/26509"}, {"name": "MDKSA-2007:149", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:149"}, {"name": "isc-bind-acl-security-bypass(35571)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35571"}, {"name": "GLSA-200708-13", "refsource": "GENTOO", "url": "http://www.gentoo.org/security/en/glsa/glsa-200708-13.xml"}, {"name": "http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=623903", "refsource": "CONFIRM", "url": "http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=623903"}, {"name": "SSA:2007-207-01", "refsource": "SLACKWARE", "url": "http://www.slackware.org/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.521385"}, {"name": "http://www.isc.org/index.pl?/sw/bind/bind-security.php", "refsource": "CONFIRM", "url": "http://www.isc.org/index.pl?/sw/bind/bind-security.php"}, {"name": "26227", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/26227"}, {"name": "26515", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/26515"}, {"name": "26236", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/26236"}, {"name": "OpenPKG-SA-2007.022", "refsource": "OPENPKG", "url": "http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.022.html"}]}}}}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2007-2925", "datePublished": "2007-07-24T17:00:00", "dateReserved": "2007-05-30T00:00:00", "dateUpdated": "2017-07-28T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:isc:bind:9.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "6D7C7524-6943-4D94-8835-0221F0F0CD63", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "916D4013-27A5-4688-A985-A9B77F90AC45", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "32CEF8AD-9EE7-4ADA-888E-883751962529", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The default access control lists (ACL) in ISC BIND 9.4.0, 9.4.1, and 9.5.0a1 through 9.5.0a5 do not set the allow-recursion and allow-query-cache ACLs, which allows remote attackers to make recursive queries and query the cache."}, {"lang": "es", "value": "La lista de control de acceso por defecto (ACL) en ISC BIND 9.4.0, 9.4.1, y 9.5.0a1 hasta 9.5.0a5 no asigna las ACLs allow-recursion y allow-query-cache, lo cual permite a atacantes remotos realizar consultas recursivas y consultar la cache."}], "id": "CVE-2007-2925", "lastModified": "2018-10-30T16:27:02.233", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-07-24T17:30:00.000", "references": [{"source": "cret@cert.org", "url": "http://secunia.com/advisories/26227"}, {"source": "cret@cert.org", "url": "http://secunia.com/advisories/26236"}, {"source": "cret@cert.org", "url": "http://secunia.com/advisories/26509"}, {"source": "cret@cert.org", "url": "http://secunia.com/advisories/26515"}, {"source": "cret@cert.org", "url": "http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=623903"}, {"source": "cret@cert.org", "url": "http://www.gentoo.org/security/en/glsa/glsa-200708-13.xml"}, {"source": "cret@cert.org", "url": "http://www.isc.org/index.pl?/sw/bind/bind-security.php"}, {"source": "cret@cert.org", "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:149"}, {"source": "cret@cert.org", "url": "http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.022.html"}, {"source": "cret@cert.org", "url": "http://www.securityfocus.com/bid/25076"}, {"source": "cret@cert.org", "url": "http://www.securitytracker.com/id?1018441"}, {"source": "cret@cert.org", "url": "http://www.slackware.org/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.521385"}, {"source": "cret@cert.org", "url": "http://www.vupen.com/english/advisories/2007/2628"}, {"source": "cret@cert.org", "url": "http://www.vupen.com/english/advisories/2007/2914"}, {"source": "cret@cert.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35571"}], "sourceIdentifier": "cret@cert.org", "vendorComments": [{"comment": "Not vulnerable. This issu did not affect the versions of bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.", "lastModified": "2007-07-26T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}