Joop Boonen

Name of the Vulnerable Software and Affected Versions: Bind9 versions 9.9.12 through 9.9.13 Bind9 versions 9.10.7 through 9.10.8 Bind9 versions 9.11.3 through 9.11.21 Bind9 versions 9.12.1 through 9.16.5 Bind9 versions 9.17.0 through 9.17.3 Bind9 Supported Preview Edition versions 9.9.12-S1 through 9.9.13-S1 Bind9 Supported Preview Edition versions 9.11.3-S1 through 9.11.21-S1 Description: The issue is related to errors in processing 'update-policy' rules of type 'subdomain' in the Bind9 DNS server package. An attacker, acting remotely, can exploit this to update all parts of a DNS zone, including the subdomain that is scheduled for update. This can occur when an attacker has been granted privileges to change a specific subset of the zone's content, allowing them to abuse these unintended additional privileges to update other contents of the zone. Recommendations: For Bind9 versions 9.9.12 through 9.9.13, update to a version outside of this range to mitigate the risk. For Bind9 versions 9.10.7 through 9.10.8, update to a version outside of this range to mitigate the risk. For Bind9 versions 9.11.3 through 9.11.21, update to a version outside of this range to mitigate the risk. For Bind9 versions 9.12.1 through 9.16.5, update to a version outside of this range to mitigate the risk. For Bind9 versions 9.17.0 through 9.17.3, update to a version outside of this range to mitigate the risk. For Bind9 Supported Preview Edition versions 9.9.12-S1 through 9.9.13-S1, update to a version outside of this range to mitigate the risk. For Bind9 Supported Preview Edition versions 9.11.3-S1 through 9.11.21-S1, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the `update-policy` rules of type 'subdomain' until a patch is available.