Archived Content
In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.Internet Systems Consortium BIND Vulnerabilities
The Internet Systems Consortium (ISC) has released three advisories to address multiple vulnerabilities affecting BIND.
The first advisory, CVE-2010-3613, addresses a vulnerability in BIND versions 9.6.2 to 9.6.2-P2, 9.6-ESV to 9.6-ESV-R2, and 9.70 to 9.7.2-P2. This vulnerability exists when cache incorrectly allows an ncache entry and a rrsig for the same type. Exploitation of this vulnerability may allow a remote attacker to cause a denial-of-service condition. Additional information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#706148.
The second advisory, CVE-2010-3614, addresses a vulnerability in BIND versions 9.0.x to 9.7.2-P2, 9.4-ESV to 9.4-ESV-R3, and 9.6-ESV to 9.6-ESV-R2. This vulnerability exists when "named" incorrectly marks zone data as insecure when the zone being queried is undergoing a key algorithm rollover. Exploitation of this vulnerability may allow answers to be incorrectly marked as insecure. Additional information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#837744.
The third advisory, CVE-2010-3615, addresses a vulnerability in BIND version 9.7.2-P2. This vulnerability is due to the incorrect processing of "allow-query". Exploitation of this vulnerability may allow a remote attacker to bypass access restrictions. Additional information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#510208.
US-CERT encourages users and administrators to review the advisories listed above and apply any necessary updates to help mitigate the risks. Because BIND is often packaged in larger third-party applications or operating system distributions, users and administrators should check with their software vendors for updated versions.
This product is provided subject to this Notification and this Privacy & Use policy.