CVE-2019-6465 : What You Need to Know

Zone transfer controls for Dynamically Loadable Zones (DLZs) in BIND 9 were found to be ineffective, potentially allowing unauthorized zone transfers. This vulnerability affects various versions of BIND 9.

Understanding CVE-2019-6465

This CVE relates to a flaw in BIND 9 that could permit unauthorized zone transfers for writable DLZ zones.

What is CVE-2019-6465?

The vulnerability arises from incorrect implementation of controls for zone transfers to DLZs when the zones are editable in BIND 9.

The Impact of CVE-2019-6465

CVSS Base Score: 5.3 (Medium Severity)
Attack Vector: Network
Attack Complexity: Low
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
Privileges Required: None
User Interaction: None
Scope: Unchanged

Technical Details of CVE-2019-6465

This section provides detailed technical information about the vulnerability.

Vulnerability Description

The vulnerability allows a client to request and receive a zone transfer of a DLZ, even when not permitted by the allow-transfer ACL.

Affected Systems and Versions

Versions 9.9.0 to 9.10.8-P1, 9.11.0 to 9.11.5-P2, 9.12.0 to 9.12.3-P2 of BIND 9 Supported Preview Edition
Versions 9.9.3-S1 to 9.11.5-S3 of BIND 9 Supported Preview Edition
Versions 9.13.0 to 9.13.6 of the 9.13 development branch

Exploitation Mechanism

The vulnerability can be exploited by a client to perform unauthorized zone transfers in BIND 9.

Mitigation and Prevention

To address CVE-2019-6465, follow these mitigation steps:

Immediate Steps to Take

Upgrade to the patched release closest to your current BIND version:
BIND 9.11.5-P4 or later
BIND 9.12.3-P4 or later

Long-Term Security Practices

Regularly review and update ACLs and zone transfer controls
Monitor for unauthorized zone transfer activities

Patching and Updates

Upgrade to the latest patched versions:
BIND 9.11.5-S5 for BIND Supported Preview Edition