CVE-2019-6475Insufficient Verification of Data Authenticity in Bind

CWE-345Insufficient Verification of Data AuthenticityCWE-290Authentication Bypass by Spoofing9 documents8 sources
Severity
7.5HIGHNVD
CNA5.9
EPSS
0.6%
top 29.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
ISC BindISC Bind 9
Timeline
PublishedOct 17
Latest updateMay 24

Description

Mirror zones are a BIND feature allowing recursive servers to pre-cache zone data provided by other servers. A mirror zone is similar to a zone of type secondary, except that its data is subject to DNSSEC validation before being used in answers, as if it had been looked up via traditional recursion, and when mirror zone data cannot be validated, BIND falls back to using traditional recursion instead of the mirror zone. However, an error in the validity checks for the incoming zone data can allow

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Alpineisc/bind< 9.14.7-r0+13
NVDisc/bind9.14.09.14.6+1
CVEListV5isc/bind_99.14.0 up to 9.14.6, 9.15.0 up to 9.15.4+1

🔴Vulnerability Details

3
GHSA
GHSA-2gfp-93f7-f268: Mirror zones are a BIND feature allowing recursive servers to pre-cache zone data provided by other servers2022-05-24
CVEList
A flaw in mirror zone validity checking can allow zone data to be spoofed2019-10-17
OSV
CVE-2019-6475: Mirror zones are a BIND feature allowing recursive servers to pre-cache zone data provided by other servers2019-10-17

📋Vendor Advisories

3
Chrome
Stable Channel Update for Desktop: CVE-2020-64752020-05-19
Red Hat
bind: A flaw in mirror zone validity checking can allow zone data to be spoofed2019-10-16
Debian
CVE-2019-6475: bind9 - Mirror zones are a BIND feature allowing recursive servers to pre-cache zone dat...2019

💬Community

2
Bugzilla
CVE-2019-6475 bind: A flaw in mirror zone validity checking can allow zone data to be spoofed [fedora-all]2019-10-17
Bugzilla
CVE-2019-6475 bind: A flaw in mirror zone validity checking can allow zone data to be spoofed2019-10-17