DSA-3904-1 bind9 -- bind9ID: oval:org.secpod.oval:def:70574 | Date: (C)2021-04-01 (M)2022-10-10 |
Class: PATCH | Family: unix |
An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: providing an AXFR of a zone to an unauthorized recipient accepting bogus NOTIFY packets. An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update.