Impact: Important Public Date: 2019-06-19 Bugzilla: 1721780: CVE-2019-6471 bind: Race condition when discarding malformed packets can cause bind to exit with assertion failure A race condition leading to denial of service was found in the way bind handled certain malformed packets. A remote attacker who could cause the bind resolver to perform queries on a server, which responds deliberately with malformed answers, could cause named to exit.
Find out more about CVE-2019-6471 from the MITRE CVE dictionary dictionary and NIST NVD.
This bind flaw can be exploited by a remote attacker (AV:N). However the attack works only if the attacker could cause the bind server to perform queries on another DNS server and the other DNS server deliberately responds with malformed answers (AC:H). No other special privileges are required by the attacker (PR:L). No user interaction is required from the server side (UI:N). The attacker can cause denial of service (A:H) by causing the named process to exit with an assertion flaw. There is no affect on the Confidentiality or Integrity of the system (C:N/I:N).
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 5.9 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | None |
| Availability Impact | High |
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 8 | bind | Affected |
| Red Hat Enterprise Linux 7 | bind | Not affected |
| Red Hat Enterprise Linux 6 | bind | Not affected |
| Red Hat Enterprise Linux 5 | bind97 | Not affected |
| Red Hat Enterprise Linux 5 | bind | Not affected |
Vulmon