ISC BIND Winsock API Vulnerability (CVE-2013-6230) - Windows

ISC BIND is prone to a vulnerability in the Winsock API.

On some Microsoft Windows systems, a network interface that has an 'all ones' IPv4 subnet mask (255.255.255.255) will be incorrectly reported (by the Winsock WSAIoctl API) as an all zeroes value (0.0.0.0). Because interfaces' netmasks are used to compute the broadcast domain for each interface during construction of the built-in 'localnets' ACL, an all zeroes netmask can cause matches on any IPv4 address, permitting unexpected access to any BIND feature configured to allow access to 'localnets'. And unless overridden by a specific value in named.conf, the default permissions for several BIND features (for example, allow-query-cache, allow-query-cache-on, allow-recursion, and others) use this predefined 'localnets' ACL. In addition, non-default access controls and other directives using an address match list with the predefined 'localnets' ACL may not match as expected. This may include rndc 'controls', 'allow-notify', 'allow-query', 'allow-transfer', 'allow-update', 'blackhole', 'filter-aaaa', 'deny-answer-addresses', 'exempt-clients', and other directives if an administrator has specified the 'localnets' ACL in their match lists.

BIND 9.6-ESV through 9.6-ESV-R10, 9.8.0 through 9.8.6, 9.9.0 through 9.9.4, 9.9.3-S1 and 9.9.4-S1 on Windows.

Checks if a vulnerable version is present on the target host.

Update to version 9.6-ESV-R10-P1, 9.8.6-P1, 9.9.4-P1 or later.