bind: TCP-pipelined queries can bypass tcp-clients limit (CVE-2019-6477)

By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The update to this functionality introduced by CVE-2018-5743 changed how BIND calculates the number of concurrent TCP clients from counting the outstanding TCP queries to counting the TCP client connections. On a server with TCP-pipelining capability, it is possible for one TCP client to send a large number of DNS requests over a single connection. Each outstanding query will be handled internally as an independent client request, thus bypassing the new TCP clients limit.

Affected Versions:

bind 9.11.6-P1 -> 9.11.12, 9.12.4-P1 -> 9.12.4-P2, 9.14.1 -> 9.14.7

Fixed In Version:

bind 9.11.13, 9.14.8, 9.15.6.

References:

https://kb.isc.org/docs/cve-2019-6477
https://www.openwall.com/lists/oss-security/2019/11/20/8

Affected branches:

master (85f2bc39)
3.10-stable (9e6955f5)
3.9-stable
3.8-stable

Edited Apr 02, 2021 by Leo

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information