CVE-2019-6467

An error in the nxdomain redirect feature can cause BIND to exit with an INSIST assertion failure in query.c

Description

A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally. The most likely scenario where this might occur is if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible. Versions affected: BIND 9.12.0-> 9.12.4, 9.14.0. Also affects all releases in the 9.13 development branch.

Remediation

Solution:

Upgrade to the patched release most closely related to your current version of BIND: + BIND 9.12.4-P1 + BIND 9.14.1

Workaround:

Exploitation of this defect can be effectively prevented by disabling the nxdomain-redirect feature in the nameserver's configuration.

References

Link	Tags
https://kb.isc.org/docs/cve-2019-6467	third party advisory
https://www.synology.com/security/advisory/Synology_SA_19_20

Frequently Asked Questions

What is the severity of CVE-2019-6467?: CVE-2019-6467 has been scored as a high severity vulnerability.
How to fix CVE-2019-6467?: To fix CVE-2019-6467: Upgrade to the patched release most closely related to your current version of BIND: + BIND 9.12.4-P1 + BIND 9.14.1
Is CVE-2019-6467 being actively exploited in the wild?: It is possible that CVE-2019-6467 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~19% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-6467?: CVE-2019-6467 affects ISC BIND 9.

Description

Remediation

Category

CWE-617 – Reachable Assertion

References

Frequently Asked Questions