https://kb.isc.org/docs/cve-2019-6468


CVE-2019-6468: BIND Supported Preview Edition can exit with an assertion failure if nxdomain-redirect is used

    Updated on 24 Apr 2019
    2 minutes to read
    Contributors
    [Michael McNally ]

    Print
    Share
    Dark

CVE: CVE-2019-6468

Document version: 2.0

Posting date: 24 April 2019

Program impacted: BIND

Versions affected: BIND Supported Preview Edition version 9.10.5-S1 -> 9.11.5-S5. ONLY BIND Supported Preview Edition releases are affected.

Severity: Medium

Exploitable: Remotely

Description:

In BIND Supported Preview Edition, an error in the nxdomain-redirect feature can occur in versions which support EDNS Client Subnet (ECS) features. In those versions which have ECS support, enabling nxdomain-redirect is likely to lead to BIND exiting due to assertion failure.

Impact:

If nxdomain-redirect is enabled (via configuration) in a vulnerable BIND release, a malicious party can cause BIND to exit by deliberately triggering the bug.

CVSS Score: 5.9

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.

Workarounds:

Exploitation of this defect can be effectively prevented by disabling the nxdomain-redirect feature in the nameserver's configuration.

Active exploits:

None known.

Solution:

Upgrade to the patched release most closely related to your current version of BIND:

BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.

    BIND 9.11.5-S6
    BIND 9.11.6-S1

Document revision history:

1.0 Early Notification, 15 April 2019
1.1 Added reference to BIND 9.11.6-S1 in Solution section
2.0 Public Disclosure, 24 April 2019

we are not affected as we are not shipping this versions