CVE-2019-6477: TCP-pipelined queries can bypass tcp-clients limit
First published: Mon Nov 18 2019(Updated: )
As per upstream advisory: By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The update to this functionality introduced by <a href="https://access.redhat.com/security/cve/CVE-2018-5743">CVE-2018-5743</a> changed how BIND calculates the number of concurrent TCP clients from counting the outstanding TCP queries to counting the TCP client connections. On a server with TCP-pipelining capability, it is possible for one TCP client to send a large number of DNS requests over a single connection. Each outstanding query will be handled internally as an independent client request, thus bypassing the new TCP clients limit.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bind9 | <=1:9.15.5-1<=1:9.11.5.P4+dfsg-1<=1:9.11.5.P4+dfsg-5.1 | 1:9.11.5.P4+dfsg-5.1+deb10u1 1:9.11.14+dfsg-1 1:9.15.6-1 |
| IBM Data Risk Manager | <=2.0.6 | |
| ISC BIND | >=9.11.7<=9.11.12 | |
| ISC BIND | >=9.14.1<=9.14.7 | |
| ISC BIND | >=9.15.0<=9.15.5 | |
| ISC BIND | =9.11.5-s6 | |
| ISC BIND | =9.11.6-p1 | |
| ISC BIND | =9.11.6-rc1 | |
| ISC BIND | =9.11.12-s1 | |
| ISC BIND | =9.12.4-p1 | |
| ISC BIND | =9.12.4-p2 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| redhat/bind | <9.11.13 | 9.11.13 |
| redhat/bind | <9.14.8 | 9.14.8 |
| redhat/bind | <9.15.6 | 9.15.6 |
| debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.19-1 |
Remedy
Upgrade to the patched release most closely related to your current version of BIND: BIND 9.11.13 BIND 9.14.8 BIND 9.15.6 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9.11.13-S1 Note that the fix for CVE-2019-6477 addresses only the server memory leak issue. TCP-pipelining may still malfunction by dropping some responses on a TCP connection where a client query pattern generates excessive outstanding queries, but the malfunction will affect that TCP connection alone and will not cause any degradation of service to other clients. An affected client connection might also appear to hang, but will clear when either the client or the server initiates a close or reset and will not remain in that state indefinitely. Disabling TCP-pipelining entirely is completely effective at mitigating the vulnerability with minimal impact to clients that use pipelined TCP connections and with no impact to clients that do not support TCP-pipelining. The majority of Internet client DNS queries are transported over UDP or TCP without use of TCP-pipelining.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2019-6477
- https://security-tracker.debian.org/tracker/CVE-2018-5743
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6477
- https://kb.isc.org/docs/cve-2019-6477
- https://security-tracker.debian.org/tracker/CVE-2020-8616
- https://security-tracker.debian.org/tracker/CVE-2020-8617
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945171
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3DEMNZMKR57VQJCG5ZN55ZGTQRL2TFQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XGURMGQHX45KR4QDRCSUQHODUFOGNGAN/
- https://support.f5.com/csp/article/K15840535?utm_source=f5support&utm_medium=RSS
- https://www.debian.org/security/2020/dsa-4689
- https://www.synology.com/security/advisory/Synology_SA_19_39
- https://access.redhat.com/security/cve/CVE-2018-5743
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1637475&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1637475&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1774827
- https://access.redhat.com/errata/RHSA-2020:1061
- https://access.redhat.com/security/cve/cve-2019-6477
- https://access.redhat.com/errata/RHSA-2020:1845
- https://bugzilla.redhat.com/show_bug.cgi?id=1773617
- https://exchange.xforce.ibmcloud.com/vulnerabilities/172012
- https://www.ibm.com/support/pages/node/6335281 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGURMGQHX45KR4QDRCSUQHODUFOGNGAN/
- https://support.f5.com/csp/article/K15840535?utm_source=f5support&%3Butm_medium=RSS
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3DEMNZMKR57VQJCG5ZN55ZGTQRL2TFQ/
Frequently Asked Questions
What is CVE-2019-6477?
CVE-2019-6477 is a vulnerability in ISC BIND that allows a remote attacker to launch a denial-of-service attack by sending TCP-pipelined queries.
How does the vulnerability in ISC BIND work?
The vulnerability in ISC BIND occurs when pipelining is enabled, causing each incoming query on a TCP connection to consume more resources than the server can handle.
Which software and versions are affected by CVE-2019-6477?
The affected software includes bind9 (version 1:9.11.5.P4+dfsg-5.1+deb10u7 or later, 1:9.11.5.P4+dfsg-5.1+deb10u9 or later, or 1:9.16.44-1~deb11u1 or later) in Debian, IBM Data Risk Manager (version up to 2.0.6) by IBM, and various versions of bind in Debian, Red Hat, and Fedora.
How severe is CVE-2019-6477?
CVE-2019-6477 has a severity rating of 7.5 (high).
Is there a fix available for CVE-2019-6477?
Yes, patches and updates are available for the affected software. For bind9 in Debian, the official Debian repository provides the necessary patches. IBM Data Risk Manager users should apply the recommended patch provided by IBM. Red Hat and Fedora users should check the respective vendor's security advisories for available updates.
- collector/debian-bugs
- alias/CVE-2019-6477
- collector/nvd-index
- collector/security-tracker-debian
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/author
- agent/weakness
- agent/softwarecombine
- agent/first-publish-date
- collector/ibm-support
- source/IBM
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/remedy
- agent/references
- agent/last-modified-date
- agent/tags
- agent/event
- package-manager/debian
- vendor/isc
- canonical/isc bind
- version/isc bind/9.11.7
- version/isc bind/9.11.12
- version/isc bind/9.14.1
- version/isc bind/9.14.7
- version/isc bind/9.15.0
- version/isc bind/9.15.5
- version/isc bind/9.11.5-s6
- version/isc bind/9.11.6-p1
- version/isc bind/9.11.6-rc1
- version/isc bind/9.11.12-s1
- version/isc bind/9.12.4-p1
- version/isc bind/9.12.4-p2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- package-manager/redhat
- vendor/ibm
- canonical/ibm data risk manager
- version/ibm data risk manager/2.0.6