Vulnerability Note VU#187297

ISC BIND does not correctly set default access controls

Original Release date: 27 Jul 2007 | Last revised: 04 Jun 2008


ISC (Internet Systems Consortiuim) BIND fails to properly set default access control lists. This may allow unauthorized users to make recursive querries and querry the cache.


From the ISC BIND security page:

    The default access control lists (acls) are not being correctly set. If not set anyone can make recursive queries and/or query the cache contents.

Note that the BIND advisory lists BIND 9.4.0, 9.4.1, 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, and 9.5.0a5 as the versions affected.


A remote, unauthenticated attacker may be able to cause a vulnerable DNS server perform recursion. This could be used to perform denial-of-service attacks. An attacker may also be able to querry the cache.


Upgrade or Patch
This issue is addressed in ISC BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6. Users who obtain BIND from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors.

Workarounds for administrators of non-publicly accessisble recursive DNS servers

  • Using firewall rules, limit access to the DNS server to authorized networks.
Workarounds for administrators of publicly accessisble recursive DNS servers
  • Rate limiting the number of external recursion requests may mitigate potential abuse of the DNS server.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Debian GNU/LinuxAffected27 Jul 200730 Jul 2007
Internet Software ConsortiumAffected-27 Jul 2007
EMC CorporationNot Affected27 Jul 200730 Jul 2007
HitachiNot Affected27 Jul 200730 Jul 2007
Openwall GNU/*/LinuxNot Affected27 Jul 200708 Aug 2007
Red Hat, Inc.Not Affected27 Jul 200728 Jul 2007
Sun Microsystems, Inc.Not Affected27 Jul 200703 Aug 2007
SUSE LinuxNot Affected27 Jul 200702 Aug 2007
Apple Computer, Inc.Unknown27 Jul 200727 Jul 2007
Conectiva Inc.Unknown27 Jul 200727 Jul 2007
Cray Inc.Unknown27 Jul 200727 Jul 2007
Engarde Secure LinuxUnknown27 Jul 200727 Jul 2007
F5 Networks, Inc.Unknown27 Jul 200727 Jul 2007
Fedora ProjectUnknown27 Jul 200727 Jul 2007
FreeBSD, Inc.Unknown27 Jul 200727 Jul 2007
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to ISC for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: CVE-2007-2925
  • Date Public: 24 Jul 2007
  • Date First Published: 27 Jul 2007
  • Date Last Updated: 04 Jun 2008
  • Severity Metric: 16.98
  • Document Revision: 25


If you have feedback, comments, or additional information about this vulnerability, please send us email.