⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2013-4854

11 documents10 sources
Severity
7.8HIGH
EPSS
53.7%
top 2.00%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
12
Fedoraproject FedoraFreebsd FreebsdHP Hp-ux+9 more
Timeline
PublishedJul 29
Latest updateMay 14

Description

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and 9.9.4b1, and DNSco BIND 9.9.3-S1 before 9.9.3-S1-P1 and 9.9.4-S1b1, allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query with a malformed RDATA section that is not properly handled during construction of a log message, as exploited in the wild in July 2013.

CVSS vector

AV:N/AC:L/C:N/I:N/A:CExploitability: 10.0 | Impact: 6.9

Affected Packages10 packages

NVDisc/dnsco_bind9.9.3, 9.9.4+1
Debianbind9< 1:9.8.4.dfsg.P1-6+nmu3+3
NVDisc/bind19 versions+18
NVDhp/hp-uxb.11.31

Also affects: Freebsd 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, Fedora 18, 19, Enterprise Linux 5, 6.0

🔴Vulnerability Details

4
GHSA
GHSA-pm36-8qh4-c679: The RFC 5011 implementation in rdata2022-05-14
OSV
CVE-2013-4854: The RFC 5011 implementation in rdata2013-07-29
CVEList
CVE-2013-4854: The RFC 5011 implementation in rdata2013-07-26
VulnCheck
ISC BIND RFC 5011 Implementation in rdata.c Denial of Service2013

📋Vendor Advisories

4
Ubuntu
Bind vulnerability2013-07-29
BSD
FreeBSD-SA-13:07.bind: BIND remote denial of service2013-07-26
Red Hat
bind: named crash with an assertion failure on parsing malformed rdata2013-07-26
Debian
CVE-2013-4854: bind9 - The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-...2013

💬Community

2
Bugzilla
CVE-2013-4854 bind: named will crash with an assertion failure on parsing malformed rdata [fedora-all]2013-07-26
Bugzilla
CVE-2013-4854 bind: named crash with an assertion failure on parsing malformed rdata2013-07-26