CVE-2019-6475
A flaw in mirror zone validity checking can allow zone data to be spoofed
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Mirror zones are a BIND feature allowing recursive servers to pre-cache zone data provided by other servers. A mirror zone is similar to a zone of type secondary, except that its data is subject to DNSSEC validation before being used in answers, as if it had been looked up via traditional recursion, and when mirror zone data cannot be validated, BIND falls back to using traditional recursion instead of the mirror zone. However, an error in the validity checks for the incoming zone data can allow an on-path attacker to replace zone data that was validated with a configured trust anchor with forged data of the attacker's choosing. The mirror zone feature is most often used to serve a local copy of the root zone. If an attacker was able to insert themselves into the network path between a recursive server using a mirror zone and a root name server, this vulnerability could then be used to cause the recursive server to accept a copy of falsified root zone data. This affects BIND versions 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4.
Las zonas espejo son una funcionalidad de BIND que permite a los servidores recursivos almacenar en memoria caché los datos de zona proporcionados por otros servidores. Una zona espejo es similar a una zona de tipo secundaria, excepto que sus datos están sujetos a la comprobación DNSSEC antes de ser usados en las respuestas, como si han sido buscados por medio de la recursión tradicional, y cuando los datos de la zona espejo no pueden ser comprobados, BIND regresa para usar la recursividad tradicional en lugar de la zona espejo. Sin embargo, un error en las comprobaciones de validez de los datos de las zonas entrantes puede permitir a un atacante en ruta reemplazar los datos de zona que fueron comprobados con un ancla de confianza configurada con datos falsificados de elección del atacante. La funcionalidad de zona espejo es usada con mayor frecuencia para servir una copia local de la zona root. Si un atacante fue capaz de insertarse en la ruta de red entre un servidor recursivo y un servidor de nombre root utilizando una zona espejo, esta vulnerabilidad podría ser usada para causar que el servidor recursivo acepte una copia de los datos falsificados de la zona root. Esto afecta a las versiones BIND 9.14.0 hasta 9.14.6 y 9.15.0 hasta 9.15.4.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-01-16 CVE Reserved
- 2019-10-17 CVE Published
- 2024-09-16 CVE Updated
- 2024-10-10 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-345: Insufficient Verification of Data Authenticity
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20191024-0004 | Third Party Advisory |
|
| https://support.f5.com/csp/article/K42238532?utm_source=f5support&%3Butm_medium=RSS | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://kb.isc.org/docs/cve-2019-6475 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Isc Search vendor "Isc" | Bind Search vendor "Isc" for product "Bind" | >= 9.14.0 <= 9.14.6 Search vendor "Isc" for product "Bind" and version " >= 9.14.0 <= 9.14.6" | - |
Affected
| ||||||
| Isc Search vendor "Isc" | Bind Search vendor "Isc" for product "Bind" | >= 9.15.0 <= 9.15.4 Search vendor "Isc" for product "Bind" and version " >= 9.15.0 <= 9.15.4" | - |
Affected
| ||||||