Created
April 13, 2017 07:29
-
-
Save aegiap/7c4015033f406114b33c226a8419c7b3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Objet CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel | |
CVE: CVE-2017-3138 | |
Document Version: 2.0 | |
Posting date: 12 April 2017 | |
Program Impacted: BIND | |
Versions affected: 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, | |
9.10.4->9.10.4-P7, | |
9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, | |
9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9 | |
Severity: Medium | |
Exploitable: Remotely, from hosts that are within the ACL permitted | |
access to the control channel | |
Description: | |
named contains a feature which allows operators to issue commands | |
to a running server by communicating with the server process | |
over a control channel, using a utility program such as rndc. | |
A regression introduced in a recent feature change has created | |
a situation under which some versions of named can be caused | |
to exit with a REQUIRE assertion failure if they are sent a | |
null command string. | |
Impact: | |
The BIND control channel is not configured by default, but when | |
configured will accept commands from those IP addresses that | |
are specified in its access control list and/or from clients | |
which present the proper transaction key. Using this defect, | |
an attacker can cause a running server to stop if they can get | |
it to accept control channel input from them. In most instances | |
this is not as bad as it sounds, because existing commands | |
permitted over the control channel (i.e. "rndc stop") can already | |
be given to cause the server to stop. | |
However, BIND 9.11.0 introduced a new option to allow "read | |
only" commands over the command channel. Using this restriction, | |
a server can be configured to limit specified clients to giving | |
control channel commands which return information only (e.g. | |
"rndc status") without affecting the operational state of the | |
server. The defect described in this advisory, however, is not | |
properly stopped by the "read only" restriction, in essence | |
permitting a privilege escalation allowing a client which should | |
only be permitted the limited set of "read only" operations to | |
cause the server to stop execution. | |
CVSS Score: 6.5 | |
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | |
For more information on the Common Vulnerability Scoring System and | |
to obtain your specific environmental score please visit: | |
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | |
Workarounds: | |
None. However, in a properly configured server, access to the | |
control channel should already be limited by either network | |
ACLs, TSIG keys, or both. | |
Active exploits: | |
No known active exploits | |
Solution: | |
Upgrade to the patched release most closely related to your | |
current version of BIND. These can all be downloaded from | |
http://www.isc.org/downloads. | |
- BIND 9 version 9.9.9-P8 | |
- BIND 9 version 9.10.4-P8 | |
- BIND 9 version 9.11.0-P5 | |
BIND Supported Preview Edition is a special feature preview | |
branch of BIND provided to eligible ISC support customers. | |
- BIND 9 version 9.9.9-S10 | |
New development releases of BIND are also available which | |
contain the fix for this vulnerability. | |
- BIND 9 version 9.9.10rc3 | |
- BIND 9 version 9.10.5rc3 | |
- BIND 9 version 9.11.1rc3 | |
Acknowledgements: | |
ISC would like to thank Mike Lalumiere of Dyn, Inc., for bringing | |
this issue to our attention. | |
Document Revision History: | |
1.0 Advance Notification 20 March 2017 | |
1.1 Revised Acknowledgements and Versions Affected 22 March 2017 | |
1.2 Added mention of maintenance releases to the Solution section | |
31 March 2017 | |
2.0 Public Announcement 12 April 2017 | |
---------------------------------------------------- | |
Objet CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME | |
CVE: CVE-2017-3137 | |
Document Version: 2.0 | |
Posting date: 12 April 2017 | |
Program Impacted: BIND | |
Versions affected: 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.4-P6, | |
9.10.5b1->9.10.5rc1, 9.11.0-P3, 9.11.1b1->9.11.1rc1, | |
and 9.9.9-S8 | |
Severity: High | |
Exploitable: Remotely | |
Description: | |
Mistaken assumptions about the ordering of records in the answer | |
section of a response containing CNAME or DNAME resource records | |
could lead to a situation in which named would exit with an | |
assertion failure when processing a response in which records | |
occurred in an unusual order. | |
Impact: | |
A server which is performing recursion can be forced to exit | |
with an assertion failure if it can be caused to receive a | |
response containing CNAME or DNAME resource records with certain | |
ordering. An attacker can cause a denial of service by exploiting | |
this condition. Recursive resolvers are at highest risk but | |
authoritative servers are theoretically vulnerable if they perform | |
recursion. | |
CVSS Score: 7.5 | |
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | |
For more information on the Common Vulnerability Scoring System and | |
to obtain your specific environmental score please visit: | |
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | |
Workarounds: | |
None known. | |
Active exploits: | |
No known active exploits. | |
Solution: | |
Upgrade to the patched release most closely related to your | |
current version of BIND. These can all be downloaded from | |
http://www.isc.org/downloads. | |
- BIND 9 version 9.9.9-P8 | |
- BIND 9 version 9.10.4-P8 | |
- BIND 9 version 9.11.0-P5 | |
BIND Supported Preview Edition is a special feature preview | |
branch of BIND provided to eligible ISC support customers. | |
- BIND 9 version 9.9.9-S10 | |
New development releases of BIND are also available which contain | |
the fix for this vulnerability: | |
- BIND 9 version 9.9.10rc3 | |
- BIND 9 version 9.10.5rc3 | |
- BIND 9 version 9.11.1rc3 | |
Document Revision History: | |
1.0 Advance Notification 08 March 2017 | |
1.1 Revised Posting Date; Added pre-releases to Versions Affected | |
20 March 2017 | |
1.2 Revised patch release versions 12 April 2017 | |
2.0 Public Announcement 12 April 2017 | |
------------------------------------------------------------------- | |
Objet CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;" | |
CVE: CVE-2017-3136 | |
Document Version: 2.0 | |
Posting date: 12 April 2017 | |
Program Impacted: BIND | |
Versions affected: 9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, | |
9.9.10b1->9.9.10rc1, | |
9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, | |
9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1, | |
9.9.3-S1 -> 9.9.9-S8 | |
Severity: Medium, but only a risk to systems with | |
specific configurations | |
Exploitable: Remotely | |
Description: | |
A query with a specific set of characteristics could cause a | |
server using DNS64 to encounter an assertion failure and terminate. | |
An attacker could deliberately construct a query, enabling | |
denial-of-service against a server if it was configured to use | |
the DNS64 feature and other preconditions were met. | |
Impact: | |
Servers are at risk if they are configured to use DNS64 and if | |
the option "break-dnssec yes;" is in use. | |
CVSS Score: 5.9 | |
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H | |
For more information on the Common Vulnerability Scoring System and | |
to obtain your specific environmental score please visit: | |
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H | |
Workarounds: | |
Servers which have configurations which require DNS64 and | |
"break-dnssec yes;" should upgrade. Servers which are not using | |
these features in conjunction are not at risk from this defect. | |
Active exploits: | |
No known active exploits. | |
Solution: | |
Upgrade to the patched release most closely related to your | |
current version of BIND. These can all be downloaded from | |
http://www.isc.org/downloads. | |
- BIND 9 version 9.9.9-P8 | |
- BIND 9 version 9.10.4-P8 | |
- BIND 9 version 9.11.0-P5 | |
BIND Supported Preview Edition is a special feature preview | |
branch of BIND provided to eligible ISC support customers. | |
- BIND 9 version 9.9.9-S10 | |
New development releases of BIND are also available which contain | |
the fix for this vulnerability: | |
- BIND 9 version 9.9.10rc3 | |
- BIND 9 version 9.10.5rc3 | |
- BIND 9 version 9.11.1rc3 | |
Acknowledgements: | |
ISC would like to thank Oleg Gorokhov of Yandex for making us | |
aware of this vulnerability. | |
Document Revision History: | |
1.0 Advance Notification 08 March 2017 | |
1.1 Revised Publication Date; Added pre-releases to Versions Affected | |
20 March 2017 | |
2.0 Public Announcement 12 April 2017 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment