CVE-2019-6476

An error in QNAME minimization code can cause BIND to exit with an assertion failure

Description

A defect in code added to support QNAME minimization can cause named to exit with an assertion failure if a forwarder returns a referral rather than resolving the query. This affects BIND versions 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4.

Remediation

Solution:

Upgrade to the patched release most closely related to your current version of BIND: + BIND 9.14.7 + BIND 9.15.5

Workaround:

ervers which have QNAME minimization turned on are potentially vulnerable to this defect if they are running an affected version of BIND. The vulnerability can be avoided by disabling QNAME minimization using "qname-minimization disabled;" in the global options section of named.conf (Note: the default value for the qname-minimization setting in the 9.14 and 9.15 branches is "relaxed". To make use of this workaround it must be explicitly disabled.)

References

Link	Tags
https://kb.isc.org/docs/cve-2019-6476	third party advisory
https://security.netapp.com/advisory/ntap-20191024-0004/
https://support.f5.com/csp/article/K42238532?utm_source=f5support&%3Butm_medium=RSS

Frequently Asked Questions

What is the severity of CVE-2019-6476?: CVE-2019-6476 has been scored as a medium severity vulnerability.
How to fix CVE-2019-6476?: To fix CVE-2019-6476: Upgrade to the patched release most closely related to your current version of BIND: + BIND 9.14.7 + BIND 9.15.5
Is CVE-2019-6476 being actively exploited in the wild?: It is possible that CVE-2019-6476 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-6476?: CVE-2019-6476 affects ISC BIND 9.

Description

Remediation

Category

CWE-617 – Reachable Assertion

References

Frequently Asked Questions