CVE-2019-6475

Name of the Vulnerable Software and Affected Versions BIND versions 9.14.0 through 9.14.6 BIND versions 9.15.0 through 9.15.4

Description The issue arises from an error in the validity checks for incoming zone data in the mirror zone feature of BIND, allowing an on-path attacker to replace validated zone data with forged data. This feature is often used to serve a local copy of the root zone. If an attacker inserts themselves into the network path between a recursive server using a mirror zone and a root name server, they could cause the recursive server to accept falsified root zone data.

Recommendations For BIND versions 9.14.0 through 9.14.6, update to a version outside of this range to resolve the issue. For BIND versions 9.15.0 through 9.15.4, update to a version outside of this range to resolve the issue. As a temporary workaround, consider disabling the mirror zone feature until a patch is available. Restrict access to the mirror zone data to minimize the risk of exploitation.