Описание
When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure.
This issue affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7.
An assertion failure vulnerability was found in the BIND package. When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. By sending specific messages to the server, an attacker can cause named to terminate unexpectedly, causing a denial of service.
Отчет
No Red Hat products or offerings are affected by this vulnerability as the affected code is not used in Red Hat systems. Although Red Hat does not ship this vulnerable code, we rated the impact of this vulnerability for the upstream community users marked as Important rather than a Moderate flaw because it triggers an assertion failure within BIND's core DNS handling logic, specifically in the TSIG validation path. Unlike typical input validation errors, which might allow an attacker to manipulate a single query's processing, this bug results in a complete and immediate crash of the named daemon. Since both authoritative servers and resolvers perform TSIG verification, the vulnerability can be exploited remotely by an unauthenticated attacker to cause repeated service outages, effectively disrupting DNS resolution for entire domains or networks.
Меры по смягчению последствий
Mitigation is either unavailable or does not meet Red Hat Product Security standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | bind | Not affected | ||
| Red Hat Enterprise Linux 6 | bind | Not affected | ||
| Red Hat Enterprise Linux 7 | bind | Not affected | ||
| Red Hat Enterprise Linux 8 | bind | Not affected | ||
| Red Hat Enterprise Linux 8 | bind9.16 | Not affected | ||
| Red Hat Enterprise Linux 9 | bind | Not affected | ||
| Red Hat Enterprise Linux 9 | bind9.18 | Not affected | ||
| Red Hat Enterprise Linux 9 | dhcp | Not affected | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7.
When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7.
When an incoming DNS protocol message includes a Transaction Signature ...
When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7.
EPSS
7.5 High
CVSS3