CVE-2019-6475 : What You Need to Know

A flaw in mirror zone validity checking can allow zone data to be spoofed.

Understanding CVE-2019-6475

Mirror zones in BIND are a helpful asset for recursive servers, allowing pre-caching of zone data from other servers. However, a vulnerability in mirror zone validity checking can lead to data spoofing.

What is CVE-2019-6475?

Mirror zones in BIND undergo DNSSEC validation before being used in responses. An error in validity checks can enable an attacker to replace trusted zone data with falsified data, affecting BIND versions 9.14.0 to 9.14.6 and 9.15.0 to 9.15.4.

The Impact of CVE-2019-6475

CVSS Score: 5.9 (Medium)
Attack Vector: Network
Integrity Impact: High
Privileges Required: None
Scope: Unchanged
This vulnerability allows an attacker to replace mirrored zone data with their own, bypassing DNSSEC protection.

Technical Details of CVE-2019-6475

Vulnerability Description

Mirror zones in BIND can be exploited by attackers to insert falsified data, affecting the integrity of the DNS responses.

Affected Systems and Versions

Affected Product: BIND 9
Vendor: ISC
Affected Versions:
9.14.0 up to 9.14.6
9.15.0 up to 9.15.4

Exploitation Mechanism

Attackers can exploit this vulnerability by manipulating the mirror zone data during DNSSEC validation, potentially leading to acceptance of falsified data.

Mitigation and Prevention

Immediate Steps to Take

Upgrade to the patched releases closest to your current BIND version: BIND 9.14.7 or BIND 9.15.5
Avoid using mirror zones to mitigate the vulnerability

Long-Term Security Practices

Regularly update BIND to the latest patched versions
Implement network monitoring and intrusion detection systems
Conduct security audits and assessments periodically

Patching and Updates

Apply vendor-provided patches promptly to address security vulnerabilities