Vulnerability Note VU#734644
ISC BIND 8 vulnerable to cache poisoning via negative responses
The BIND 8 name server contains a cache poisoning vulnerability that allows attackers to conduct denial-of-service attacks on specific target domains.
Several versions of the BIND 8 name server are vulnerable to cache poisoning via negative responses. To exploit this vulnerability, an attacker must configure a name server to return authoritative negative responses for a given target domain. Then, the attacker must convince a victim user to query the attacker's maliciously configured name server. When the attacker's name server receives the query, it will reply with an authoritative negative response containing a large TTL (time-to-live) value. If the victim's site runs a vulnerable version of BIND 8, it will cache the negative response and render the target domain unreachable until the TTL expires.
Attackers may conduct denial-of-service attacks on specific target domains by enticing users to query a malicious name server.
The ISC has prepared BIND 8.3.7 and BIND 8.4.3 to address this vulnerability. Name servers running BIND 4 are not affected. To obtain the latest versions of BIND, please visit
Apply a patch or updated version from your vendor
Many operating system vendors include BIND with their products and will be preparing new versions to address this vulnerability. For a list of vendors that the CERT/CC has received information from regarding this vulnerability, please see the Systems Affected section of this document.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Computer Inc.||Affected||21 Oct 2003||11 Dec 2003|
|FreeBSD||Affected||21 Oct 2003||01 Dec 2003|
|Guardian Digital Inc.||Affected||21 Oct 2003||02 Dec 2003|
|Hewlett-Packard Company||Affected||21 Oct 2003||03 Dec 2003|
|IBM||Affected||21 Oct 2003||03 Dec 2003|
|Immunix||Affected||-||01 Dec 2003|
|Internet Software Consortium||Affected||04 Sep 2003||01 Dec 2003|
|NetBSD||Affected||21 Oct 2003||17 Nov 2003|
|Nixu||Affected||21 Oct 2003||20 Nov 2003|
|Sun Microsystems Inc.||Affected||21 Oct 2003||01 Dec 2003|
|SuSE Inc.||Affected||21 Oct 2003||01 Dec 2003|
|The SCO Group (SCO UnixWare)||Affected||21 Oct 2003||03 Dec 2003|
|Trustix Secure Linux||Affected||-||01 Dec 2003|
|adns||Not Affected||21 Oct 2003||20 Nov 2003|
|Check Point||Not Affected||21 Oct 2003||27 Oct 2003|
CVSS Metrics (Learn More)
The CERT/CC thanks the Internet Software Consortium for bringing this vulnerability to our attention.
This document was written by Jeffrey P. Lanza.
- CVE IDs: CAN-2003-0914
- Date Public: 26 Nov 2003
- Date First Published: 01 Dec 2003
- Date Last Updated: 04 Jan 2004
- Severity Metric: 1.50
- Document Revision: 40
If you have feedback, comments, or additional information about this vulnerability, please send us email.