ISC BIND DoS Vulnerability - CVE-2019-6477 (Linux)

ISC BIND is prone to a denial of service vulnerability as TCP-pipelined queries can bypass tcp-clients limit.

By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The update to this functionality introduced by CVE-2018-5743 changed how BIND calculates the number of concurrent TCP clients from counting the outstanding TCP queries to counting the TCP client connections. On a server with TCP-pipelining capability, it is possible for one TCP client to send a large number of DNS requests over a single connection. Each outstanding query will be handled internally as an independent client request, thus bypassing the new TCP clients limit.

BIND 9.11.6-P1 - 9.11.12, 9.12.4-P1 - 9.12.4-P2, 9.14.1 - 9.14.7 and 9.11.5-S6 - 9.11.12-S1. Also affects all releases in the 9.15 development branch.

Checks if a vulnerable version is present on the target host.

Update to version 9.11.13, 9.14.8, 9.15.6, 9.11.13-S1 or later.