CVE-2016-6173 Nlnetlabs CVE debrief

Who should care

Operators and administrators running NSD slave servers, especially environments that receive zone transfers from remote master servers and still use versions 4.1.10 or earlier.

Technical summary

NVD identifies the affected CPE range as nlnetlabs:nsd through 4.1.10. The issue is classified as CWE-399 and has CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The documented failure mode is exhaustion of /tmp disk space and crash of the slave server during handling of an unbounded zone transfer. The official references include the NSD 4.1.11 release notes, issue tracking, and related mailing-list/vendor advisories.

Defensive priority

High. This is a remotely reachable denial-of-service condition with no required privileges or user interaction, and the primary impact is service availability.

Recommended defensive actions

• Upgrade NSD to 4.1.11 or later on all affected slave servers.
• Verify deployed NSD versions and compare them against the affected range through 4.1.10.
• Review zone-transfer handling and alerting so unexpected /tmp growth or NSD crashes are detected quickly.
• Confirm vendor release notes and related advisories before and after upgrading to ensure the fix is present in your packaged build.

Evidence notes

Supported by the NVD record and linked references in the provided corpus. The record states that NSD before 4.1.11 is vulnerable, lists the affected CPE range through 4.1.10, classifies the weakness as CWE-399, and assigns CVSS v3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The reference set includes the NSD 4.1.11 release notes, issue tracker entry, and related mailing-list/advisory links.

Official resources