Clã©Ment Berthaux

**Name of the Vulnerable Software and Affected Versions** BIND versions 9.4.0 through 9.8.8 BIND versions 9.9.0 through 9.9.10-P1 BIND versions 9.10.0 through 9.10.5-P1 BIND versions 9.11.0 through 9.11.1-P1 BIND versions 9.9.3-S1 through 9.9.10-S2 BIND versions 9.10.5-S1 through 9.10.5-S2 **Description** The issue allows an attacker who can send and receive messages to an authoritative DNS server and has knowledge of a valid TSIG key name to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. This could result in providing an AXFR of a zone to an unauthorized recipient or accepting bogus NOTIFY packets. An attacker could exploit this by sending specially crafted data to bypass TSIG authentication and manipulate the server into accepting an unauthorized dynamic update. **Recommendations** For BIND versions 9.4.0 through 9.8.8, update to a version outside of this range to mitigate the risk. For BIND versions 9.9.0 through 9.9.10-P1, update to a version outside of this range to mitigate the risk. For BIND versions 9.10.0 through 9.10.5-P1, update to a version outside of this range to mitigate the risk. For BIND versions 9.11.0 through 9.11.1-P1, update to a version outside of this range to mitigate the risk. For BIND versions 9.9.3-S1 through 9.9.10-S2, update to a version outside of this range to mitigate the risk. For BIND versions 9.10.5-S1 through 9.10.5-S2, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the TSIG key name and implementing additional ACL protection to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BIND versions 9.4.0 through 9.8.8 BIND versions 9.9.0 through 9.9.10-P1 BIND versions 9.10.0 through 9.10.5-P1 BIND versions 9.11.0 through 9.11.1-P1 BIND versions 9.9.3-S1 through 9.9.10-S2 BIND versions 9.10.5-S1 through 9.10.5-S2 **Description** The issue is related to errors in the implementation of the TSIG authentication procedure in the BIND DNS server. An attacker who can send and receive messages to an authoritative DNS server and has knowledge of a valid TSIG key name for the targeted zone and service may be able to manipulate BIND into accepting an unauthorized dynamic update. This could allow the attacker to bypass TSIG authentication and obtain a legitimate signature for arbitrary messages using a specially crafted TSIG sequence. **Recommendations** For BIND versions 9.4.0 through 9.8.8, update to a version outside of this range to resolve the issue. For BIND versions 9.9.0 through 9.9.10-P1, update to a version outside of this range to resolve the issue. For BIND versions 9.10.0 through 9.10.5-P1, update to a version outside of this range to resolve the issue. For BIND versions 9.11.0 through 9.11.1-P1, update to a version outside of this range to resolve the issue. For BIND versions 9.9.3-S1 through 9.9.10-S2, update to a version outside of this range to resolve the issue. For BIND versions 9.10.5-S1 through 9.10.5-S2, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the TSIG authentication mechanism until a patch is available.