Allele Security Alert
Zone transfer controls for writable DLZ zones were not effective
Internet Systems Consortium (ISC)
BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected.
Proof of concept
Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable.
A client exercising this defect can request and receive a zone transfer of a DLZ even when not permitted to do so by the allow-transfer ACL.
CVE-2019-6465: Zone transfer controls for writable DLZ zones were not effective
Multiple BIND CVEs disclosed (CVE-2018-5744, CVE-2018-5745, CVE-2019-6465)
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 26, 2019