// For flags

CVE-2019-6475

A flaw in mirror zone validity checking can allow zone data to be spoofed

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Mirror zones are a BIND feature allowing recursive servers to pre-cache zone data provided by other servers. A mirror zone is similar to a zone of type secondary, except that its data is subject to DNSSEC validation before being used in answers, as if it had been looked up via traditional recursion, and when mirror zone data cannot be validated, BIND falls back to using traditional recursion instead of the mirror zone. However, an error in the validity checks for the incoming zone data can allow an on-path attacker to replace zone data that was validated with a configured trust anchor with forged data of the attacker's choosing. The mirror zone feature is most often used to serve a local copy of the root zone. If an attacker was able to insert themselves into the network path between a recursive server using a mirror zone and a root name server, this vulnerability could then be used to cause the recursive server to accept a copy of falsified root zone data. This affects BIND versions 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4.

Las zonas espejo son una funcionalidad de BIND que permite a los servidores recursivos almacenar en memoria caché los datos de zona proporcionados por otros servidores. Una zona espejo es similar a una zona de tipo secundaria, excepto que sus datos están sujetos a la comprobación DNSSEC antes de ser usados en las respuestas, como si han sido buscados por medio de la recursión tradicional, y cuando los datos de la zona espejo no pueden ser comprobados, BIND regresa para usar la recursividad tradicional en lugar de la zona espejo. Sin embargo, un error en las comprobaciones de validez de los datos de las zonas entrantes puede permitir a un atacante en ruta reemplazar los datos de zona que fueron comprobados con un ancla de confianza configurada con datos falsificados de elección del atacante. La funcionalidad de zona espejo es usada con mayor frecuencia para servir una copia local de la zona root. Si un atacante fue capaz de insertarse en la ruta de red entre un servidor recursivo y un servidor de nombre root utilizando una zona espejo, esta vulnerabilidad podría ser usada para causar que el servidor recursivo acepte una copia de los datos falsificados de la zona root. Esto afecta a las versiones BIND 9.14.0 hasta 9.14.6 y 9.15.0 hasta 9.15.4.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-01-16 CVE Reserved
  • 2019-10-17 CVE Published
  • 2024-09-16 CVE Updated
  • 2024-10-10 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-345: Insufficient Verification of Data Authenticity
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Isc
Search vendor "Isc"
Bind
Search vendor "Isc" for product "Bind"
>= 9.14.0 <= 9.14.6
Search vendor "Isc" for product "Bind" and version " >= 9.14.0 <= 9.14.6"
-
Affected
Isc
Search vendor "Isc"
Bind
Search vendor "Isc" for product "Bind"
>= 9.15.0 <= 9.15.4
Search vendor "Isc" for product "Bind" and version " >= 9.15.0 <= 9.15.4"
-
Affected