BIND 9 Security Vulnerability Matrix

AA-00913

                                                                   

The BIND 9 Security Vulnerability Matrix is a tool to help DNS operators understand the current security risk for a given version of BIND.

It has two parts:

  • The first part is a table listing all of the vulnerabilities covered by this page.  The first column is a reference number for use in the tables in the second part.  The second column is the CVE (Common Vulnerabilities and Exposure) number for the vulnerability, linked to its page on cve.mitre.org.  The third column is a short description of the vulnerability, linked (where possible) to our Knowledge Base article on the vulnerability.
  • The second part is a table for each branch of BIND, listing all of the releases in that branch along the side and vulnerabilities along the top.  If a vulnerability number is less than the lowest column heading, that branch does not have any versions with it.  If a vulnerability number is greater than the highest column heading, that branch has not been tested and should be assumed to be vulnerable.

For example, if you use the top table to look up CVE-2012-1667, you will see that it cross references to #46. You can look for column #46 in the lower charts and see which versions are vulnerable. If you were still running BIND 9.8.3 you would know to upgrade.

We do not generally list alpha, beta or release candidate (RC) versions here, and recommend that you use only released software in any environment in which security could be an issue. This page explains our version numbering system.

We do not recommend that you use any version not listed in one of these charts.

Vulnerability information for EOL (End of Life) versions of BIND 9 (9.0 through 9.8) and below are included only for vulnerabilities discovered before (or in some cases shortly after) the EOL date.  These versions are all known to be affected by some vulnerabilities discovered after their EOL date.

Using obsolete versions of BIND

We recommend that you not use obsolete versions of any ISC software. It was updated for a reason. But there is one situation in which you really must not run older versions of BIND.

If a nameserver — any nameserver, whether BIND or other software — is configured to use "forwarders'', then none of its targets (the servers to which it forwards the requests) can be running BIND4 or BIND8. Upgrade all nameservers used as forwarders to a current version. There is a wide scale Kashpureff-style DNS cache corruption attack that depends on BIND4 and BIND8 being the targets of DNS forwarders. Both BIND 4 and BIND 8 have end-of-life status.

Listing of Vulnerabilities affecting current branches of BIND

# CVE Number Short Description
78
2016-8864A problem handling responses containing a DNAME answer can lead to an assertion failure
77
2016-2848
A packet with malformed options can trigger an assertion failure in ISC BIND versions released prior to May 2013 and in packages derived from releases prior to that date.
76
2016-2776
Assertion Failure in buffer.c While Building Responses to a Specifically Constructed Request
75
2016-2775
A query name which is too long can cause a segmentation fault in lwresd
74
2016-2088
A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure
73
2016-1286
A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c
722016-1285An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c
71
2016-1284
A REQUIRE assertion failure in rdataset.c can be deliberately triggered in servers performing NXDOMAIN redirection
70
2015-8705
Problems converting OPT resource records and ECS options to text format can cause BIND to terminate
69
2015-8704
Specific APL data could trigger an INSIST in apl_42.c
68 2015-8461
A race condition when handling socket errors can lead to an assertion failure in resolver.c
67 2015-8000
Responses with a malformed class attribute can trigger an assertion failure in db.c
66
2015-5986 An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c
65
2015-5722 Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c
64
2015-5477
An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure
63
2015-4620
Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating
62 2015-1349 A Problem with Trust Anchor Management Can Cause named to Crash
61 2014-8680
Defects in GeoIP features can cause BIND to crash
60 2014-8500 A Defect in Delegation Handling Can Be Exploited to Crash BIND
59 2014-3859 BIND named can crash due to a defect in EDNS printing processing
58
2014-3214
A Defect in Prefetch Can Cause Recursive Servers to Crash
57 2014-0591 A Crafted Query Against an NSEC3-signed Zone Can Crash BIND
56 2013-6230 A Winsock API Bug can cause a side-effect affecting BIND ACLs
55 2013-4854
A specially crafted query can cause BIND to terminate abnormally
54
2013-3919
A recursive resolver can be crashed by a query for a malformed zone
53 2013-2266 A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
52 2012-5689 BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ
51 2012-5688 BIND 9 servers using DNS64 can be crashed by a crafted query
50 2012-5166 Specially crafted DNS data can cause a lockup in named
49 2012-4244 A specially crafted Resource Record could cause named to terminate
48 2012-3868 High TCP query load can trigger a memory leak
47 2012-3817 Heavy DNSSEC validation load can cause a "bad cache" assertion failure
46 2012-1667


Why don't the reference numbers begin at 1?

These matrices have been moved to our Knowledge Base from our website.  Along the way we have extracted the security matrix information for BIND8; hence the numbering does not start with 1, and there are some gaps where some security reports related solely to BIND8.  If you are still running BIND8 or earlier, we strongly recommend that you upgrade because there are security vulnerabilities inherent in BIND8 that could not be fixed until BIND9.

As major branches of BIND have reached EOL (End of Life), the lowest numbered vulnerability affecting our current versions has increased.  Issues only affecting obsolete branches of BIND have been moved to a separate table later in this article.

BIND 9.11

ver/CVE 78
9.11.0-P1
 
9.11.0 +


BIND 9.10

ver/CVE 58 59
60
61 62
63
64
65
66
67
68
69
70
71
7273
7475
76
77
78
9.10.4-P4
                     
9.10.4-P3
                    +
9.10.4-P2
                  +
 +
9.10.4-P1
                 +
+ +
9.10.4
                 +
+
 +
9.10.3-P4
                 +
+
 +
9.10.3-P3
                     
   +
+
+
+
+
 +
9.10.3-P2
                      +
+
 +
+
++
+
 +
9.10.3-P1
                    +
+
+
 +
+
+
+
+
 +
9.10.3
                  + +
+
+
 +
+
+
+
+
 +
9.10.2-P4
                  +   +
+
 +
+
+
+
+
 +
9.10.2-P3
              +
+
+
  +
+
 +
+
+
+
+
 +
9.10.2-P2






+
+
+
+   +
+
 +
+
+
+
+
 +
9.10.2-P1




+
+
+
+
+   +
+
 +
+
+
+
+
 +
9.10.2





+
+
+
+
+   +
+
 +
+
+
+
+
 +
9.10.1-P2





+
+
+

+   +
+
 +
+
+
+
+
 +
9.10.1-P1




+ +
+
+

+   +
+
 +
+
+
+
+
 +
9.10.1

+
+
+ +
+
+

+   +
+
 +
+
+
+
+
 +
9.10.0-P2

+
+
+ +
+
+

+   +
+
 +
+
+
+
+
 +
9.10.0-P1

+ +
+
+ +
+
+

+   +
+
 +
+
+
+
+
 +
9.10.0 + + + +
+ +
+
+

+   +
+
 +
+
+
+
+
 +


BIND 9.9

ver/CVE 46 47 48 49 50 51 52 53 54
55
56 57 58 59
60 61 62
63
64
65
66
67
68
69
70
71
72737475
76
77
78
9.9.9-P4
                                 
9.9.9-P3                                +
9.9.9-P2
                              +
 +
9.9.9-P1
                             +
+
 +
9.9.9
                             +
+
 +
9.9.8-P4
                             +
+
 +
9.9.8-P3
                                                   +
+
 +
+
 +
9.9.8-P2
                                              +
   +
+
 +
+
 +
9.9.8-P1
                                            +
+
   +
+
 +
+
 +
9.9.8
                                          +
+
+
   +
+
 +
+
 +
9.9.7-P3
                                          +
  +
   +
+
 +
+
 +
9.9.7-P2
                                      +
+
+
  +
   +
+
 +
+
 +
9.9.7-P1


















+
+
+
+
  +
   +
+
 +
+
 +
9.9.7

















+
+
+
+
+
  +
   +
+
 +
+
 +
9.9.6-P2

















+
+
+

+
  +
   +
+
 +
+
 +
9.9.6-P1
















+ +
+
+

+
  +
   +
+
 +
+
 +
9.9.6













+

+ +
+
+

+
  +
   +
+
 +
+
 +
9.9.5-P1                    



+

+ +
+
+
 
+
  +
   +
+
 +
+
 +
9.9.5-W1                    



+

+ +
+
+

+
  +
   +
+
 +
+
 +
9.9.5                    



+

+ +
+
+

+
  +
   +
+
 +
+
 +
9.9.4-P2                    



+

+ +
+
+

+
  +
   +
+
 +
+
 +
9.9.4-P1                    
+

+

+ +
+
+

+
  +
   +
+
 +
+
 +
9.9.4
                    + +

+

+ +
+
+

+
  +
   +
+
 +
+
 +
9.9.3-P2                     + +

+

+ +
+
+
 
+
  +
   +
+
 +
+
 +
9.9.3-P1                   + + +

+

+ +
+
+

+
  +
   +
+
 +
+
 +
9.9.3                 + + + +

+

+ +
+
+

+
  +
   +
+
 +
+
 +
9.9.2-P2             +     + + +

+

+ +
+
+
 
+
  +
   +
+
 +
+
+
+
9.9.2-P1             + +   + + +

+

+ +
+
+

+
  +
   +
+
 +
+
+
+
9.9.2           + + +   + + +

+

+ +
+
+

+
  +
   +
+
 +
+
+
+
9.9.1-P4           + + +   + + +

+

+ +
+
+

+
  +
   +
+
 +
+
+
+
9.9.1-P3         + + + +   + + +

+

+ +
+
+

+
  +
   +
+
 +
+
+
+
9.9.1-P2       + + + + +   + + +

+

+ +
+
+

+
  +
   +
+
 +
+
+
+
9.9.1-P1   + + + + + + +   + + +

+

+ +
+
+

+
  +
   +
+
 +
+
+
+
9.9.1 + + + + + + + +   + + +

+

+ +
+
+

+
  +
   +
+
 +
+
+
+
9.9.0 + + + + + + + +   + + +

+

+ +
+
+

+
  +
   +
+
 +
+
+
+


BIND 9.9 Supported Preview edition

If you'd like more information on our product support or about our Supported Preview edition of BIND, also known as the Subscription version, please visit https://www.isc.org/bind-subscription-2/

ver/CVE 54
55
56 57
58
59 60 61 62 63
64 65
66
67
68
69
70
71
72
7374
75
76
77
78
9.9.9-S6
                         
9.9.9-S5
                        +
9.9.9-S4
                        +
9.9.9-S3                      +
 +
9.9.9-S2
                     +
+
 +
9.9.9-S1
                     +
+
 +
9.9.8-S6
                     +
+
 +
9.9.8-S5
                  +
+
 +
+
 +
9.9.8-S4
                                  +
+
+
 +
+
 +
9.9.8-S3
                              +
  +
+
+
 +
+
 +
9.9.8-S2
                         
+
+
  +
+
+
 +
+
 +
9.9.8-S1
                          +
+
+
  +
+
+
 +
+
 +
9.9.7-S6
                          +
  +
   +
+
 +
+
 +
9.9.7-S5
                      +
+
+
  +
   +
+
 +
+
 +
9.9.7-S4
                    +
+
+
+
  +
   +
+
 +
+
 +
9.9.7-S3
                  +
+
+
+
+
  +
   +
+
 +
+
 +
9.9.7-S2
                  +
+
+
+
+
  +
   +
+
 +
+
 +
9.9.7-S1
                  +
+
+
+
+
  +
   +
+
 +
+
 +
9.9.6-S3
                  +
+
+
+
+
  +
   +
+
 +
+
 +
9.9.6-S2                 + +
+
+
+
+
  +
   +
+
 +
+
 +
9.9.6-S1             +
+
+ +
+
+
+
+
  +
   +
+
 +
+
 +
9.9.5-S1-P1             +
+
+ +
+
+
+
+
  +
   +
+
 +
+
 +
9.9.5-S1-W1
            +
+
+ +
+
+
+
+
  +
   +
+
 +
+
 +
9.9.5-S1             +
+
+ +
+
+
+
+
  +
   +
+
 +
+
 +
9.9.4-S1-P2             +
+
+ +
+
+
+
+
  +
   +
+
 +
+
 +
9.9.4-S1-P1
      +     +
+
+ +
+
+
+
+
  +
   +
+
 +
+
 +
9.9.4-S1     + +     +
+
+ +
+
+
+
+
  +
   +
+
 +
+
 +
9.9.3-S1-P1     + +     +
+
+ +
+
+
+
+
  +
   +
+
 +
+
 +
9.9.3-S1   + + +     +
+
+ +
+
+
+
+
  +
   +
+
 +
+
 +


ALL versions below are EOL

While there may be some newer vulnerabilities that do not apply to them, they are all affected by multiple known vulnerabilities.

Listing of Vulnerabilities affecting only obsolete branches of BIND

# CVE Number Short Description
45 2011-4313 BIND 9 Resolver crashes after logging an error in query.c
44 2011-2465 Remote crash with certain RPZ configurations
43 2011-2464 remote packet denial of service against authoritative and recursive servers
42 2011-1910 Large RRSIG RRsets and negative caching can crash named
41 2011-1907 RRSIG queries can trigger server crash when using Response Policy Zones
40 2011-0414 Server lockup upon IXFR or DDNS update combined with high query rate
39 2010-3613 cache incorrectly allows an ncache entry and an RRSIG for the same type
38 2010-3615 allow-query processed incorrectly
37 2010-3614 Key algorithm rollover bug in BIND 9
36 2010-3762 failure to handle bad signatures if multiple trust anchors configured
35 2010-0218 Unexpected ACL Behavior in BIND 9.7.2
34 2010-0213 RRSIG query handling bug in BIND 9.7.1
33 2010-0097 DNSSEC validation code could cause bogus NXDOMAIN responses
32 2009-4022 Cache Update From Additional Section
31 2009-0696 Dynamic Update DoS attack
30 2008-5077 DNSSEC issue with DSA and NSEC3DSA algorithms
29
2008-1447 DNS cache poisoning issue
28
2008-0122 inet_network() off-by-one buffer overflow
27
2007-2930 cryptographically weak query ids (BIND 8)
26
2007-2926 cryptographically weak query ids
25
2007-2925 allow-query-cache/allow-recursion default acls not set.
24
2007-2241 Sequence of queries can cause a recursive nameserver to exit.
23
2007-0494 Denial of service via ANY query response containing multiple RRsets.
22
2007-0493 Denial of service via unspecified vectors that cause  "dereference a freed fetch       context."
21
2006-4096 Denial of service via a flood of recursive queries causing INSIST failure.
19
2005-0034
The DNSSEC validator can cause the server to exit                 
13 2002-0400
DoS internal consistency check (DoS_findtype)


BIND 9.8

(EOL September 2014; final matrix update 2014-12-08)

ver/CVE 41 42 43 44 45 46 47 48 49 50 51 52 53 54
55
56 57
58
59
60 61
9.8.8                                       +
 
9.8.7-P1                                       +
 
9.8.7                                       +
 
9.8.6-P2                                       +
 
9.8.6-P1
                                +     +
 
9.8.6                               + +     +
 
9.8.5-P2
                              + +     +
 
9.8.5-P1
                            + + +     +
 
9.8.5                           + + + +     +
 
9.8.4-P2                       +     + + +     +
 
9.8.4-P1                       + +   + + +     +
 
9.8.4                     + + +   + + +     +
 
9.8.3-P4                     + + +   + + +     +
 
9.8.3-P3                   + + + +   + + +     +
 
9.8.3-P2                 + + + + +   + + +     +
 
9.8.3-P1             +   + + + + +   + + +     +
 
9.8.3           + +   + + + + +   + + +     +
 
9.8.2           + +   + + + + +   + + +     +
 
9.8.1-P1           + +   + + + + +   + + +     +
 
9.8.1         + + +   + + + + +   + + +     +
 
9.8.0-P4         + + +   + + + + +   + + +     +
 
9.8.0-P3     +   + + +   + + + + +   + + +     +
 
9.8.0-P2     + + + + +   + + + + +   + + +     +
 
9.8.0-P1   + + + + + +   + + + + +   + + +     +  
9.8.0 + + + + + + +   + + + + +   + + +     +  


BIND 9.7 

(EOL November 2012; Final matrix update 2014-01-13)

ver/CVE 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
55
56 57
9.7.7                                       +    +  +  +
9.7.6-P4                                       +    +  +  +
9.7.6-P3                                 +     +    +  +  +
9.7.6-P2                               + +     +    +  +  +
9.7.6-P1                           +   + +     +    +  +  +
9.7.6                         + +   + +     +    +  +  +
9.7.5                         + +   + +     +    +  +  +
9.7.4-P1                         + +   + +     +    +  +  +
9.7.4                       + + +   + +     +    +  +  +
9.7.3-P3                       + + +   + +     +    +  +  +
9.7.3-P2                   +   + + +   + +     +    +  +  +
9.7.3-P1                   +   + + +   + +     +    +  +  +
9.7.3                 + +   + + +   + +     +    +  +  +
9.7.2-P3             +   + +   + + +   + +     +    +  +  +
9.7.2-P2   + + + + + +   + +   + + +   + +     +    +  +  +
9.7.2-P1   + + +   + +   + +   + + +   + +     +    +  +  +
9.7.2   + + +   + +   + +   + + +   + +     +    +  +  +
9.7.1-P2     + +   + +   + +   + + +   + +     +    +  +  +
9.7.1-P1 +   + +   + +   + +   + + +   + +     +    +  +  +
9.7.1 +   + +   + +   + +   + + +   + +     +    +  +  +
9.7.0-P2     + +   +       +   + +     + +     +    +  +  +
9.7.0-P1     + +   +       +   + +     + +     +    +  +  +
9.7.0     + +   +       +   + +     + +     +    +  +  +


BIND 9.6 / 9.6-ESV

(EOL February 2014; final matrix update 2014-12-08)

ver/CVE 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
55
56 57
58 59
60
9.6-ESV-R11                                                            
+
9.6-ESV-R10-P2                                                             +
9.6-ESV-R10-P1                                                        +  
+
9.6-ESV-R10                                                      +  +     +
9.6-ESV-R9-P1                                                      +  +     +
9.6-ESV-R9                                                  +    +  +     +
9.6-ESV-R8                                                      +  +     +
9.6-ESV-R7-P4                                                      +  +     +
9.6-ESV-R7-P3                                         +            +  +     +
9.6-ESV-R7-P2                                       + +            +  +     +
9.6-ESV-R7-P1                                   +   + +            +  +     +
9.6-ESV-R7                                 + +   + +            +  +     +
9.6-ESV-R6                                 + +   + +            +  +     +
9.6-ESV-R5-P1                                 + +   + +            +  +     +
9.6-ESV-R5                               + + +   + +            +  +     +
9.6-ESV-R4-P3                               + + +   + +            +  +     +
9.6-ESV-R4-P2                           +   + + +   + +            +  +     +
9.6-ESV-R4-P1                           +   + + +   + +            +  +     +
9.6-ESV-R4                         + +   + + +   + +            +  +     +
9.6-ESV-R3                         +     + + +   + +            +  +     +
9.6-ESV-R2               +   +     +     + + +   + +            +  +     +
9.6-ESV-R1               +   +           + + +   + +            +  +     +
9.6-ESV               +   +           + + +
  + +            +  +     +
9.6.3               +    +     +     + +     + +            +  +     +
9.6.2-P3               +    +           + +     + +            +  +     +
9.6.2-P2               +    +           + +     + +            +  +     +
9.6.2-P1               +    +           + +     + +            +  +     +
9.6.2               +    +           + +     + +            +  +     +
9.6.1-P3               +    +           + +     + +            +  +     +
9.6.1-P2               +    +           + +     + +            +  +     +
9.6.1-P1     + +       +    +           + +     + +            +  +     +
9.6.1   + + +       +    +           + +     + +            +  +     +
9.6.0-P1   + + +       +    +           + +     + +            +  +     +
9.6.0 + + + +       +    +           + +     + +            +  +     +


BIND 9.5

(EOL September 2010; Final matrix update 2011-11-16)

ver/CVE 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
9.5.2-P2                 +   +           +
9.5.1-P3       + +       +   +           +
9.5.1-P1     + + +       +   +           +
9.5.1   + + + +       +   +           +
9.5.0-P2   + + + +       +   +           +
9.5.0-P1   + + + +       +   +           +
9.5.0 + + + + +       +   +           +

BIND 9.4 / 9.4-ESV

(EOL March 2012; Final matrix update 2011-11-16)

ver/CVE 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
9.4-ESV-R5-P1                                           +
9.4-ESV-R5                                         + +
9.4-ESV-R4-P1                                         + +
9.4-ESV-R4                                     +     +
9.4-ESV-R3                           +   +     +     +
9.4-ESV-R2                           +   +           +
9.4-ESV-R1                           +   +           +
9.4-ESV                           +   +           +
9.4.3-P5                           +   +           +
9.4.3-P3                 + +       +   +           +
9.4.3-P1               + + +       +   +           +
9.4.3             + + + +       +   +           +
9.4.2-P1         +   + + + +       +   +           +
9.4.2         + + + + + +       +   +           +
9.4.1-P1         + + + + + +       +   +           +
9.4.1   + +   + + + + + +       +   +           +
9.4.0 + + +   + + + + + +       +   +           +


BIND 9.3

(EOL January 2009; Final matrix update 2011-09-09)

ver/CVE 19
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
9.3.6-P1                       + + +       +   +          
9.3.6                     + + + +       +   +          
9.3.5-P1                     + + + +       +   +          
9.3.5                   + + + + +       +   +          
9.3.4-P1                 + + + + + +       +   +          
9.3.4             +   + + + + + +       +   +          
9.3.3     + +     +   + + + + + +       +   +          
9.3.2   + + +     +   + + + + + +       +   +          
9.3.1   + + +     +   + + + + + +       +   +          
9.3.0  + + + +     +   + + + + + +       +   +          


BIND 9.2

(EOL September 2007; Final matrix update 2011-09-09)

ver/CVE 13
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
9.2.8-P1               + + + + + +       +   +          
9.2.8           +   + + + + + +       +   +          
9.2.7   + +     +   + + + + + +       +   +          
9.2.6   + +     +   + + + + + +       +   +          
9.2.5   + +     +   + + + + + +       +   +          
9.2.4   + +     +   + + + + + +       +   +          
9.2.3   + +     +   + + + + + +       +   +          
9.2.2   + +     +   + + + + + +       +   +          
9.2.1   + +     +   + + + + + +       +   +          
9.2.0  + + +     +   + + + + + +       +   +          


BIND 9.1

(EOL July 2001; Final matrix update 2011-09-09)

ver/CVE 13
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
9.1.3  + +     +   + + + + + +       +   +          
9.1.2  + +     +   + + + + + +       +   +          
9.1.1  + +     +   + + + + + +       +   +          
9.1.0  + +     +   + + + + + +       +   +          


BIND 9.0

(EOL July 2001; Final matrix update 2011-09-09)

ver/CVE 13
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
9.0.1  + +     +   + + + + + +       +   +          
9.0.0
 + +         + + + + + +       +   +