CVE-2016-2776

critical-risk
Published 2016-09-28

buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query.

Do I need to act?

!
87.0% chance of exploitation in next 30 days
EPSS score — higher than 13% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
40453
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Oracle Hp Isc

References (34)

http://rhn.redhat.com/errata/RHSA-2016-1944.html
http://rhn.redhat.com/errata/RHSA-2016-1945.html
http://rhn.redhat.com/errata/RHSA-2016-2099.html
Third Party Advisory http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html
Third Party Advisory http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.h...
Third Party Advisory http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.htm...
http://www.securityfocus.com/bid/93188
http://www.securitytracker.com/id/1036903
Third Party Advisory https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c...
Vendor Advisory https://kb.isc.org/article/AA-01419/0
https://kb.isc.org/article/AA-01435
https://kb.isc.org/article/AA-01436
https://kb.isc.org/article/AA-01438
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:28.bind.asc
https://security.gentoo.org/glsa/201610-07
https://security.netapp.com/advisory/ntap-20160930-0001/
https://www.exploit-db.com/exploits/40453/
http://rhn.redhat.com/errata/RHSA-2016-1944.html
http://rhn.redhat.com/errata/RHSA-2016-1945.html
http://rhn.redhat.com/errata/RHSA-2016-2099.html
and 14 more references
71
/ 100
critical-risk
Severity 26/34 · High
Exploitability 20/34 · Moderate
Exposure 25/34 · High