{"vuid":"VU#187297","idnumber":"187297","name":"ISC BIND does not correctly set default access controls","keywords":["ISC","BIND","default ACLs"],"overview":"ISC (Internet Systems Consortiuim) BIND fails to properly set default access control lists. This may allow unauthorized users to make recursive querries and querry the cache.","clean_desc":"From the ISC BIND security page: The default access control lists (acls) are not being correctly set. If not set anyone can make recursive queries and/or query the cache contents. Note that the BIND advisory lists BIND 9.4.0, 9.4.1, 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, and 9.5.0a5 as the versions affected.","impact":"A remote, unauthenticated attacker may be able to cause a vulnerable DNS server perform recursion. This could be used to perform denial-of-service attacks. An attacker may also be able to querry the cache.","resolution":"Upgrade or Patch\nThis issue is addressed in ISC BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6. Users who obtain BIND from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors.","workarounds":"Workarounds for administrators of non-publicly accessisble recursive DNS servers \nUsing firewall rules, limit access to the DNS server to authorized networks. Workarounds for administrators of publicly accessisble recursive DNS servers \nRate limiting the number of external recursion requests may mitigate potential abuse of the DNS server.","sysaffected":"","thanks":"Thanks to ISC for information that was used in this report.","author":"This document was written by Ryan Giobbi.","public":["http://www.isc.org/sw/bind/bind-security.php","http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html"],"cveids":["CVE-2007-2925"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2007-06-21T13:57:36Z","publicdate":"2007-07-24T00:00:00Z","datefirstpublished":"2007-07-27T18:03:41Z","dateupdated":"2008-06-04T21:39:57Z","revision":26,"vrda_d1_directreport":"1","vrda_d1_population":"4","vrda_d1_impact":"3","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"17","cam_population":"18","cam_impact":"4","cam_easeofexploitation":"20","cam_attackeraccessrequired":"17","cam_scorecurrent":"16.983","cam_scorecurrentwidelyknown":"16.983","cam_scorecurrentwidelyknownexploited":"26.163","ipprotocol":"UDP","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":16.983,"vulnote":null}