Vulnerability Note VU#418861
BIND DNS Nameserver, DNSSEC validation Vulnerability
A vulnerability exists in the way BIND 9 handles recursive client queries that may cause additional records to be added to its cache.
BIND 9 contains a vulnerability in the way recursive client queries are handled. According to ISC:
A nameserver with DNSSEC validation enabled may incorrectly add unauthenticated records to its cache that are received during the resolution of a recursive client query with checking disabled (CD), or when the nameserver internally triggers a query for missing records for recursive name resolution. Cached records can be returned in response to subsequent client queries with or without requesting DNSSEC records (DO). In addition, some of them can be returned to queries with or without checking disabled (CD).
An attacker may be able to manipulate cache data and perform DNS Cache Poisoning.
Disable DNSSEC Validation
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Internet Systems Consortium||Affected||02 Dec 2009||02 Dec 2009|
|Alcatel-Lucent||Unknown||02 Dec 2009||02 Dec 2009|
|Apple Inc.||Unknown||02 Dec 2009||02 Dec 2009|
|BlueCat Networks, Inc.||Unknown||02 Dec 2009||02 Dec 2009|
|Check Point Software Technologies||Unknown||02 Dec 2009||02 Dec 2009|
|Conectiva Inc.||Unknown||02 Dec 2009||02 Dec 2009|
|Cray Inc.||Unknown||02 Dec 2009||02 Dec 2009|
|Debian GNU/Linux||Unknown||02 Dec 2009||02 Dec 2009|
|DragonFly BSD Project||Unknown||02 Dec 2009||02 Dec 2009|
|EMC Corporation||Unknown||02 Dec 2009||02 Dec 2009|
|Engarde Secure Linux||Unknown||02 Dec 2009||02 Dec 2009|
|Ericsson||Unknown||02 Dec 2009||02 Dec 2009|
|F5 Networks, Inc.||Unknown||02 Dec 2009||02 Dec 2009|
|Fedora Project||Unknown||02 Dec 2009||02 Dec 2009|
|FreeBSD Project||Unknown||02 Dec 2009||02 Dec 2009|
CVSS Metrics (Learn More)
ISC credits Michael Sinatra, UC Berkeley with finding this issue.
This document was written by Chris Taschner.
- CVE IDs: CVE-2009-4022
- Date Public: 19 Nov 2009
- Date First Published: 01 Dec 2009
- Date Last Updated: 19 Jan 2010
- Document Revision: 14
If you have feedback, comments, or additional information about this vulnerability, please send us email.