Fix for CVE-2006-2073
Mark Andrews
marka at isc.org
Wed Oct 19 00:32:48 UTC 2011
In message <87k482kw0l.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> I've noticed that nobody seems to have accurate information about
> CVE-2006-2073 on file. This was a vulnerability in handling
> TSIG-based authentication *after* authentication, so it wasn't a high
> priority issue.
Actually it required the target server to be configured as a slave
to a custom built rogue master or for the attacker be in a position
to intercept the AXFR/IXFR request to a non compromised master. It
also required that TSIG not be being used to authenticate the
AXFR/IXFR request.
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type:Allows disruption of service
I fail to see how this could ever have been classified as
Access Complexity: Low.
Looking at the CVE it looks like this bug fix contains the correction.
2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR
responses more gracefully. [RT #15941]
> What was the first BIND version that fixed it?
9.2.7, 9.3.3, 9.4.0.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list