CVE-2019-6465 - OpenCVE

Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Isc	Bind
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:isc:bind::::::::
	cpe:2.3:a:isc:bind::::::::
	cpe:2.3:a:isc:bind::::::::
	cpe:2.3:a:isc:bind::::::::
	cpe:2.3:a:isc:bind:9.9.3:s1::::::
	cpe:2.3:a:isc:bind:9.10.8:-::::::
	cpe:2.3:a:isc:bind:9.10.8:p1::::::
	cpe:2.3:a:isc:bind:9.11.5:-::::::
	cpe:2.3:a:isc:bind:9.11.5:p1::::::
	cpe:2.3:a:isc:bind:9.11.5:p2::::::
	cpe:2.3:a:isc:bind:9.11.5:s3:::supported_preview:::*
	cpe:2.3:a:isc:bind:9.12.3:-::::::
	cpe:2.3:a:isc:bind:9.12.3:p1::::::
	cpe:2.3:a:isc:bind:9.12.3:p2::::::

Configuration 2 [-]

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

References

Link	Resource
https://access.redhat.com/errata/RHSA-2019:3552	Third Party Advisory
https://kb.isc.org/docs/cve-2019-6465	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: isc

Published: 2019-02-21T00:00:00

Updated: 2019-11-06T00:07:01

Reserved: 2019-01-16T00:00:00

Link: CVE-2019-6465

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-10-09T16:15:16.483

Modified: 2019-12-16T16:57:20.547

Link: CVE-2019-6465

JSON object: View

Redhat Information

No data.

CWE

CWE-732

{"containers": {"cna": {"affected": [{"product": "BIND 9", "vendor": "ISC", "versions": [{"status": "affected", "version": "BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465."}]}], "datePublic": "2019-02-21T00:00:00", "descriptions": [{"lang": "en", "value": "Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "A client exercising this defect can request and receive a zone transfer of a DLZ even when not permitted to do so by the allow-transfer ACL.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-11-06T00:07:01", "orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://kb.isc.org/docs/cve-2019-6465"}, {"name": "RHSA-2019:3552", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3552"}], "solutions": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of BIND:\n\n>= BIND 9.11.5-P4\n>= BIND 9.12.3-P4\n\nBIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.\n\n>= BIND 9.11.5-S5\n"}], "source": {"discovery": "EXTERNAL"}, "title": "Zone transfer controls for writable DLZ zones were not effective", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-officer@isc.org", "DATE_PUBLIC": "2019-02-21T00:00:00.000Z", "ID": "CVE-2019-6465", "STATE": "PUBLIC", "TITLE": "Zone transfer controls for writable DLZ zones were not effective"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "BIND 9", "version": {"version_data": [{"version_name": "BIND 9", "version_value": "BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465."}]}}]}, "vendor_name": "ISC"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "A client exercising this defect can request and receive a zone transfer of a DLZ even when not permitted to do so by the allow-transfer ACL."}]}]}, "references": {"reference_data": [{"name": "https://kb.isc.org/docs/cve-2019-6465", "refsource": "CONFIRM", "url": "https://kb.isc.org/docs/cve-2019-6465"}, {"name": "RHSA-2019:3552", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3552"}]}, "solution": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of BIND:\n\n>= BIND 9.11.5-P4\n>= BIND 9.12.3-P4\n\nBIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.\n\n>= BIND 9.11.5-S5\n"}], "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "assignerShortName": "isc", "cveId": "CVE-2019-6465", "datePublished": "2019-02-21T00:00:00", "dateReserved": "2019-01-16T00:00:00", "dateUpdated": "2019-11-06T00:07:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*", "matchCriteriaId": "7499FD94-56AE-4BFD-B8FF-D46A63DFDC3B", "versionEndIncluding": "9.10.7", "versionStartIncluding": "9.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9316962-340F-4084-8E86-50600275FF17", "versionEndIncluding": "9.11.4", "versionStartIncluding": "9.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D42B921-3C36-433A-B2F2-0AABC9869DCC", "versionEndIncluding": "9.12.2", "versionStartIncluding": "9.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*", "matchCriteriaId": "68A67ACC-D80C-462C-9B03-D8E694322C3E", "versionEndIncluding": "9.13.6", "versionStartIncluding": "9.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.3:s1:*:*:*:*:*:*", "matchCriteriaId": "FCC182A9-5989-4A87-A3BA-F1CFAEDC95E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.10.8:-:*:*:*:*:*:*", "matchCriteriaId": "5ABCD105-A5E8-41AF-AE84-622543953449", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.10.8:p1:*:*:*:*:*:*", "matchCriteriaId": "58D8814F-07FC-42A8-99EF-CD84AADEDC57", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.5:-:*:*:*:*:*:*", "matchCriteriaId": "A10C5868-A7C3-48A5-BDE9-1CE0FC0F515F", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.5:p1:*:*:*:*:*:*", "matchCriteriaId": "EB1A7C62-4700-4DE1-B0C2-16D94D0FE4C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.5:p2:*:*:*:*:*:*", "matchCriteriaId": "6AA46AB1-53D6-47B5-9535-D9DC80F03660", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.5:s3:*:*:supported_preview:*:*:*", "matchCriteriaId": "1AA16E51-819C-4A1B-B66E-1C60C1782C0D", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.12.3:-:*:*:*:*:*:*", "matchCriteriaId": "F59BE241-48B6-47CC-8500-96A8A1E67954", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.12.3:p1:*:*:*:*:*:*", "matchCriteriaId": "4B12AA91-F54B-4C97-9168-8E276F16F22B", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.12.3:p2:*:*:*:*:*:*", "matchCriteriaId": "768ABFDE-2A35-4989-A496-37098CA3AEFA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465."}, {"lang": "es", "value": "Los controles para las transferencias de zona pueden no ser aplicados correctamente en Dynamically Loadable Zones (DLZs) si las zonas son grabables. Versiones afectadas: BIND 9.9.0 hasta 9.10.8-P1, 9.11.0 hasta 9.11.5-P2, 9.12.0 hasta 9.12.3-P2, y versiones 9.9.3-S1 hasta 9.11.5-S3 de BIND 9 Supported Preview Edition. Las versiones 9.13.0 hasta 9.13.6 de la rama de desarrollo 9.13 tambi\u00e9n est\u00e1n afectadas. Las versiones anteriores a BIND 9.9.0 no han sido evaluadas para vulnerabilidad de CVE-2019-6465."}], "id": "CVE-2019-6465", "lastModified": "2019-12-16T16:57:20.547", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-officer@isc.org", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-09T16:15:16.483", "references": [{"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3552"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://kb.isc.org/docs/cve-2019-6465"}], "sourceIdentifier": "security-officer@isc.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}]}