CVE-2016-6170: Input Validation
First published: Wed Jul 06 2016(Updated: )
ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ISC BIND 9 | >=9.0<=9.9.8 | |
| ISC BIND 9 | >=9.10.0<=9.10.3 | |
| ISC BIND 9 | =9.9.9 | |
| ISC BIND 9 | =9.9.9-beta1 | |
| ISC BIND 9 | =9.9.9-beta2 | |
| ISC BIND 9 | =9.9.9-p1 | |
| ISC BIND 9 | =9.10.4 | |
| ISC BIND 9 | =9.10.4-p1 | |
| ISC BIND 9 | =9.11.0-a1 | |
| ISC BIND 9 | =9.11.0-a2 | |
| ISC BIND 9 | =9.11.0-a3 | |
| ISC BIND 9 | =9.11.0-b1 | |
| Red Hat Enterprise Linux | =5.0 | |
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2016/07/06/3
- http://www.securityfocus.com/bid/91611
- http://www.securitytracker.com/id/1036241
- https://bugzilla.redhat.com/show_bug.cgi?id=1353563
- https://github.com/sischkg/xfer-limit/blob/master/README.md
- https://kb.isc.org/article/AA-01390
- https://kb.isc.org/article/AA-01390/169/CVE-2016-6170
- https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015058.html
- https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015073.html
- https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015075.html
- https://security.gentoo.org/glsa/201610-07
- http://seclists.org/oss-sec/2016/q3/19
- https://github.com/sischkg/xfer-limit/blob/master/bind-9.10.3-xfer-limit-0.0.1.patch
- https://github.com/sischkg/xfer-limit/blob/master/bind-9.9.9-P1-xfer-limit-0.0.1.patch
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1353569
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1353571
- https://access.redhat.com/security/updates/classification/
Frequently Asked Questions
What is the severity of CVE-2016-6170?
CVE-2016-6170 is classified as a denial of service vulnerability that can lead to crashes of secondary DNS servers.
How do I fix CVE-2016-6170?
To mitigate CVE-2016-6170, upgrade BIND to the latest version that is not affected by this vulnerability.
Which versions of BIND are affected by CVE-2016-6170?
CVE-2016-6170 affects ISC BIND versions through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1.
Can CVE-2016-6170 affect IXFR servers?
Yes, CVE-2016-6170 may allow IXFR servers to cause a denial of service through large IXFR responses.
What are the potential impacts of CVE-2016-6170?
The potential impacts of CVE-2016-6170 include denial of service attacks resulting in DNS server crashes.
- agent/type
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-6170
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/references
- agent/author
- agent/weakness
- agent/description
- agent/event
- agent/first-publish-date
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/isc
- canonical/isc bind 9
- version/isc bind 9/9.0
- version/isc bind 9/9.9.8
- version/isc bind 9/9.10.0
- version/isc bind 9/9.10.3
- version/isc bind 9/9.9.9
- version/isc bind 9/9.9.9-beta1
- version/isc bind 9/9.9.9-beta2
- version/isc bind 9/9.9.9-p1
- version/isc bind 9/9.10.4
- version/isc bind 9/9.10.4-p1
- version/isc bind 9/9.11.0-a1
- version/isc bind 9/9.11.0-a2
- version/isc bind 9/9.11.0-a3
- version/isc bind 9/9.11.0-b1
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/5.0
- version/red hat enterprise linux/6.0
- version/red hat enterprise linux/7.0