Knowledge Base ISC Main Website Ask a Question/Contact ISC
 Featured
BIND 9 Security Vulnerability Matrix
Author: Sue Graves Reference Number: AA-00913 Views: 55170 Created: 2013-05-20 22:08 Last Updated: 2014-04-16 00:59 0 Rating/ Voters

The BIND 9 Security Vulnerability Matrix is a tool to help DNS operators understand the current security risk for a given version of BIND.

It has two parts:

  • The first part is a table listing all of the vulnerabilities covered by this page.  The first column is a reference number for use in the tables in the second part.  The second column is the CVE (Common Vulnerabilities and Exposure) number for the vulnerability, linked to its page on cve.mitre.org.  The third column is a short description of the vulnerability, linked (where possible) to our Knowledge Base article on the vulnerability.
  • The second part is a table for each branch of BIND, listing all of the releases in that branch along the side and vulnerabilities along the top.  If a vulnerability number is less than the lowest column heading, that branch does not have any versions with it.  If a vulnerability number is greater than the highest column heading, that branch has not been tested and should be assumed to be vulnerable.

For example, if you use the top table to look up CVE-2012-1667, you will see that it cross references to #46. You can look for column #46 in the lower charts and see which versions are vulnerable. If you were still running BIND 9.8.3 you would know to upgrade.

We do not generally list alpha, beta or release candidate (RC) versions here, and recommend that you use only released software in any environment in which security could be an issue. This page explains our version numbering system.

We do not recommend that you use any version not listed in one of these charts.

Vulnerability information for EOL (End of Life) versions of BIND 9 (including 9.7) and below are included.

Using obsolete versions of BIND

We recommend that you not use obsolete versions of any ISC software. It was updated for a reason. But there is one situation in which you really must not run older versions of BIND.

If a nameserver — any nameserver, whether BIND or other software — is configured to use "forwarders'', then none of its targets (the servers to which it forwards the requests) can be running BIND4 or BIND8. Upgrade all nameservers used as forwarders to a current version. There is a wide scale Kashpureff-style DNS cache corruption attack that depends on BIND4 and BIND8 being the targets of DNS forwarders. Both BIND 4 and BIND 8 have end-of-life status.

Listing of Vulnerabilities

#CVE NumberShort Description
572014-0591A Crafted Query Against an NSEC3-signed Zone Can Crash BIND
562013-6230A Winsock API Bug can cause a side-effect affecting BIND ACLs
552013-4854
A specially crafted query can cause BIND to terminate abnormally
54
2013-3919
A recursive resolver can be crashed by a query for a malformed zone
532013-2266A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
522012-5689BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ
512012-5688BIND 9 servers using DNS64 can be crashed by a crafted query
502012-5166Specially crafted DNS data can cause a lockup in named
492012-4244A specially crafted Resource Record could cause named to terminate
482012-3868High TCP query load can trigger a memory leak
472012-3817Heavy DNSSEC validation load can cause a "bad cache" assertion failure
462012-1667
452011-4313BIND 9 Resolver crashes after logging an error in query.c
442011-2465Remote crash with certain RPZ configurations
432011-2464remote packet denial of service against authoritative and recursive servers
422011-1910Large RRSIG RRsets and negative caching can crash named
412011-1907RRSIG queries can trigger server crash when using Response Policy Zones
402011-0414Server lockup upon IXFR or DDNS update combined with high query rate
392010-3613cache incorrectly allows an ncache entry and an RRSIG for the same type
382010-3615allow-query processed incorrectly
372010-3614Key algorithm rollover bug in BIND 9
362010-3762failure to handle bad signatures if multiple trust anchors configured
352010-0218Unexpected ACL Behavior in BIND 9.7.2
342010-0213RRSIG query handling bug in BIND 9.7.1
332010-0097DNSSEC validation code could cause bogus NXDOMAIN responses
322009-4022Cache Update From Additional Section
312009-0696Dynamic Update DoS attack
302008-5077DNSSEC issue with DSA and NSEC3DSA algorithms
29
2008-1447DNS cache poisoning issue
28
2008-0122inet_network() off-by-one buffer overflow
27
2007-2930cryptographically weak query ids (BIND 8)
26
2007-2926cryptographically weak query ids
25
2007-2925allow-query-cache/allow-recursion default acls not set.
24
2007-2241Sequence of queries can cause a recursive nameserver to exit.
23
2007-0494Denial of service via ANY query response containing multiple RRsets.
22
2007-0493Denial of service via unspecified vectors that cause "dereference a freed fetch context."
21
2006-4096Denial of service via a flood of recursive queries causing INSIST failure.
19
2005-0034
The DNSSEC validator can cause the server to exit
132002-0400
DoS internal consistency check (DoS_findtype)


Why don't the reference numbers begin at 1?

These matrices have been moved to our Knowledge Base from our website.  Along the way we have extracted the security matrix information for BIND8; hence the numbering does not start with 1, and there are some gaps where some security reports related solely to BIND8.  If you are still running BIND8 or earlier, we strongly recommend that you upgrade because there are security vulnerabilities inherent in BIND8 that could not be fixed until BIND9.

BIND 9.9

ver/CVE464748495051525354
55
56  57
 9.9.5            
9.9.4-P2            
 9.9.4-P1            +
9.9.4
           + +
9.9.3-P2           + +
9.9.3-P1          + + +
9.9.3         + + + +
9.9.2-P2      +   + + +
9.9.2-P1      ++  + + +
9.9.2     +++  + + +
9.9.1-P4     +++  + + +
9.9.1-P3    ++++  + + +
9.9.1-P2   +++++  + + +
9.9.1-P1 +++++++  + + +
9.9.1++++++++  + + +
9.9.0++++++++  + + +


BIND 9.9 Subscription version

(Available via DNSco.  If you'd like more information on our product support or about our Subscription versions of BIND, please visit http://www.dns-co.com/solutions/).

ver/CVE464748495051525354
55
56 57
 9.9.4-S1-P2            
9.9.4-S1-P1
            +
9.9.4-S1           + +
9.9.3-S1-P1           + +
9.9.3-S1          + + +


BIND 9.8

ver/CVE4142434445464748495051525354
55
5657
 9.8.7                 
9.8.6-P2                 
9.8.6-P1
                 +
9.8.6                + +
9.8.5-P2
                + +
9.8.5-P1
               + + +
9.8.5              + + + +
9.8.4-P2           +   + + +
9.8.4-P1           ++  + + +
9.8.4          +++  + + +
9.8.3-P4          +++  + + +
9.8.3-P3         ++++  + + +
9.8.3-P2        +++++  + + +
9.8.3-P1      + +++++  + + +
9.8.3     ++ +++++  + + +
9.8.2     ++ +++++  + + +
9.8.1-P1     ++ +++++  + + +
9.8.1    +++ +++++  + + +
9.8.0-P4    +++ +++++  + + +
9.8.0-P3  + +++ +++++  + + +
9.8.0-P2  +++++ +++++  + + +
9.8.0-P1 ++++++ +++++  + + +
9.8.0+++++++ +++++  + + +


BIND 9.6

ver/CVE30313233343536373839404142434445464748495051525354
55
5657
 9.6-ESV-R11                            
9.6-ESV-R10-P2                            
 9.6-ESV-R10-P1                            +
9.6-ESV-R10                           + +
9.6-ESV-R9-P1                           + +
9.6-ESV-R9                         +  + +
9.6-ESV-R8                           + +
9.6-ESV-R7-P4                           + +
9.6-ESV-R7-P3                    +      + +
9.6-ESV-R7-P2                   ++      + +
9.6-ESV-R7-P1                 + ++      + +
9.6-ESV-R7                ++ ++      + +
9.6-ESV-R6                ++ ++      + +
9.6-ESV-R5-P1                ++ ++      + +
9.6-ESV-R5               +++ ++      + +
9.6-ESV-R4-P3               +++ ++      + +
9.6-ESV-R4-P2             + +++ ++      + +
9.6-ESV-R4-P1             + +++ ++      + +
9.6-ESV-R4            ++ +++ ++      + +
9.6-ESV-R3            +  +++ ++      + +
9.6-ESV-R2       + +  +  +++ ++      + +
9.6-ESV-R1       + +     +++ ++      + +
9.6-ESV       + +     ++  ++      + +
9.6.3       +  +  +  ++  ++      + +
9.6.2-P3       +  +     ++  ++      + +
9.6.2-P2       +  +     ++  ++      + +
9.6.2-P1       +  +     ++  ++      + +
9.6.2       +  +     ++  ++      + +
9.6.1-P3       +  +     ++  ++      + +
9.6.1-P2       +  +     ++  ++      + +
9.6.1-P1  ++   +  +     ++  ++      + +
9.6.1 +++   +  +     ++  ++      + +
9.6.0-P1 +++   +  +     ++  ++      + +
9.6.0++++   +  +     ++  ++      + +


BIND 9.7 

ver/CVE343536373839404142434445464748495051525354
55
56 57
9.7.7                   +  + + +
9.7.6-P4                   +  + + +
9.7.6-P3                +  +  + + +
9.7.6-P2               ++  +  + + +
9.7.6-P1             + ++  +  + + +
9.7.6            ++ ++  +  + + +
9.7.5            ++ ++  +  + + +
9.7.4-P1            ++ ++  +  + + +
9.7.4           +++ ++  +  + + +
9.7.3-P3           +++ ++  +  + + +
9.7.3-P2         + +++ ++  +  + + +
9.7.3-P1         + +++ ++  +  + + +
9.7.3        ++ +++ ++  +  + + +
9.7.2-P3      + ++ +++ ++  +  + + +
9.7.2-P2 ++++++ ++ +++ ++  +  + + +
9.7.2-P1 +++ ++ ++ +++ ++  +  + + +
9.7.2 +++ ++ ++ +++ ++  +  + + +
9.7.1-P2  ++ ++ ++ +++ ++  +  + + +
9.7.1-P1+ ++ ++ ++ +++ ++  +  + + +
9.7.1+ ++ ++ ++ +++ ++  +  + + +
9.7.0-P2  ++ +   + +++ ++  +  + + +
9.7.0-P1  ++ +   + +++ ++  +  + + +
9.7.0  ++ +   + +++ ++  +  + + +


BIND 9.5

ver/CVE2930313233343536373839404142434445
9.5.2-P2        + +     +
9.5.1-P3   ++   + +     +
9.5.1-P1  +++   + +     +
9.5.1 ++++   + +     +
9.5.0-P2 ++++   + +     +
9.5.0-P1 ++++   + +     +
9.5.0+++++   + +     +

BIND 9.4

ver/CVE24252627282930313233343536373839404142434445
9.4-ESV-R5-P1                     +
9.4-ESV-R5                    ++
9.4-ESV-R4-P1                    ++
9.4-ESV-R4                  +  +
9.4-ESV-R3             + +  +  +
9.4-ESV-R2             + +     +
9.4-ESV-R1             + +     +
9.4-ESV             + +     +
9.4.3-P5             + +     +
9.4.3-P3        ++   + +     +
9.4.3-P1       +++   + +     +
9.4.3      ++++   + +     +
9.4.2-P1    + ++++   + +     +
9.4.2    ++++++   + +     +
9.4.1-P1    ++++++   + +     +
9.4.1 ++ ++++++   + +     +
9.4.0+++ ++++++   + +     +

BIND 9.3

ver/CVE19
212223242526272829303132333435363738394041424344
9.3.6-P1           +++   + +     
9.3.6          ++++   + +     
9.3.5-P1          ++++   + +     
9.3.5         +++++   + +     
9.3.4-P1        ++++++   + +     
9.3.4      + ++++++   + +     
9.3.3  ++  + ++++++   + +     
9.3.2 +++  + ++++++   + +     
9.3.1 +++  + ++++++   + +     
9.3.0 ++++  + ++++++   + +     

BIND 9.2

ver/CVE13
2223242526272829303132333435363738394041424344
9.2.8-P1       ++++++   + +     
9.2.8     + ++++++   + +     
9.2.7 ++  + ++++++   + +     
9.2.6 ++  + ++++++   + +     
9.2.5 ++  + ++++++   + +     
9.2.4 ++  + ++++++   + +     
9.2.3 ++  + ++++++   + +     
9.2.2 ++  + ++++++   + +     
9.2.1 ++  + ++++++   + +     
9.2.0 +++  + ++++++   + +     

BIND 9.1

ver/CVE13
23242526272829303132333435363738394041424344
9.1.3 ++  + ++++++   + +     
9.1.2 ++  + ++++++   + +     
9.1.1 ++  + ++++++   + +     
9.1.0 ++  + ++++++   + +     

BIND 9.0

ver/CVE13
23242526272829303132333435363738394041424344
9.0.1 ++  + ++++++   + +     
9.0.0
 ++    ++++++   + +     

 



© 2001-2014 Internet Systems Consortium

Feedback 2
  • #
    [KB Admin]: Unexpected Portugese Error 2013-08-12 11:09

    Sorry about that - we've fixed the link!

  • #
    [ gson]: Unexpected Portugese Error 2013-07-27 10:32

    When I view the BIND 9 Security Vulnerability Matrix at https://kb.isc.org/article/AA-00913/0 and click the link saying
    "A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named", I end up on a page in Portugese rather than the expected English.

Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu