CVE-2019-6477

TCP-pipelined queries can bypass tcp-clients limit

Description

With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).

Remediation

Solution:

  • Upgrade to the patched release most closely related to your current version of BIND: BIND 9.11.13 BIND 9.14.8 BIND 9.15.6 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9.11.13-S1 Note that the fix for CVE-2019-6477 addresses only the server memory leak issue. TCP-pipelining may still malfunction by dropping some responses on a TCP connection where a client query pattern generates excessive outstanding queries, but the malfunction will affect that TCP connection alone and will not cause any degradation of service to other clients. An affected client connection might also appear to hang, but will clear when either the client or the server initiates a close or reset and will not remain in that state indefinitely. Disabling TCP-pipelining entirely is completely effective at mitigating the vulnerability with minimal impact to clients that use pipelined TCP connections and with no impact to clients that do not support TCP-pipelining. The majority of Internet client DNS queries are transported over UDP or TCP without use of TCP-pipelining.

Workaround:

  • The vulnerability can be avoided by disabling server TCP-pipelining: keep-response-order { any; }; and then restarting BIND. The server restart is necessary because neither a 'reload' nor a 'reconfig' operation will properly reset currently pipelining TCP clients.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 5.71% Top 15%
Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory debian.org Vendor Advisory opensuse.org Vendor Advisory opensuse.org
Affected: ISC BIND9
Published at:
Updated at:

References

Link Tags
https://kb.isc.org/docs/cve-2019-6477 third party advisory
https://www.synology.com/security/advisory/Synology_SA_19_39 third party advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGURMGQHX45KR4QDRCSUQHODUFOGNGAN/ vendor advisory
https://support.f5.com/csp/article/K15840535?utm_source=f5support&%3Butm_medium=RSS
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3DEMNZMKR57VQJCG5ZN55ZGTQRL2TFQ/ vendor advisory
https://www.debian.org/security/2020/dsa-4689 vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html vendor advisory

Frequently Asked Questions

What is the severity of CVE-2019-6477?
CVE-2019-6477 has been scored as a high severity vulnerability.
How to fix CVE-2019-6477?
To fix CVE-2019-6477: Upgrade to the patched release most closely related to your current version of BIND: BIND 9.11.13 BIND 9.14.8 BIND 9.15.6 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9.11.13-S1 Note that the fix for CVE-2019-6477 addresses only the server memory leak issue. TCP-pipelining may still malfunction by dropping some responses on a TCP connection where a client query pattern generates excessive outstanding queries, but the malfunction will affect that TCP connection alone and will not cause any degradation of service to other clients. An affected client connection might also appear to hang, but will clear when either the client or the server initiates a close or reset and will not remain in that state indefinitely. Disabling TCP-pipelining entirely is completely effective at mitigating the vulnerability with minimal impact to clients that use pipelined TCP connections and with no impact to clients that do not support TCP-pipelining. The majority of Internet client DNS queries are transported over UDP or TCP without use of TCP-pipelining.
Is CVE-2019-6477 being actively exploited in the wild?
It is possible that CVE-2019-6477 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~6% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-6477?
CVE-2019-6477 affects ISC BIND9.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.