ID CVE-2017-3138
Summary named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9.
References
Vulnerable Configurations
  • ISC BIND 9.9.9
    cpe:2.3:a:isc:bind:9.9.9
  • ISC BIND 9.9.9 P1
    cpe:2.3:a:isc:bind:9.9.9:p1
  • cpe:2.3:a:isc:bind:9.9.9:p2
    cpe:2.3:a:isc:bind:9.9.9:p2
  • ISC BIND 9.9.9 Patch 3
    cpe:2.3:a:isc:bind:9.9.9:p3
  • ISC BIND 9.9.9 Patch 4
    cpe:2.3:a:isc:bind:9.9.9:p4
  • cpe:2.3:a:isc:bind:9.9.9:p5
    cpe:2.3:a:isc:bind:9.9.9:p5
  • cpe:2.3:a:isc:bind:9.9.9:p6
    cpe:2.3:a:isc:bind:9.9.9:p6
  • cpe:2.3:a:isc:bind:9.9.9:p7
    cpe:2.3:a:isc:bind:9.9.9:p7
  • ISC BIND 9.9.9 S1
    cpe:2.3:a:isc:bind:9.9.9:s1
  • ISC BIND 9.9.9 S7
    cpe:2.3:a:isc:bind:9.9.9:s7
  • cpe:2.3:a:isc:bind:9.9.10:beta1
    cpe:2.3:a:isc:bind:9.9.10:beta1
  • cpe:2.3:a:isc:bind:9.9.10:rc1
    cpe:2.3:a:isc:bind:9.9.10:rc1
  • cpe:2.3:a:isc:bind:9.9.10:rc2
    cpe:2.3:a:isc:bind:9.9.10:rc2
  • ISC BIND 9.10.4
    cpe:2.3:a:isc:bind:9.10.4
  • ISC BIND 9.10.4 Patch 1
    cpe:2.3:a:isc:bind:9.10.4:p1
  • ISC BIND 9.10.4 Patch 2
    cpe:2.3:a:isc:bind:9.10.4:p2
  • ISC BIND 9.10.4 Patch 3
    cpe:2.3:a:isc:bind:9.10.4:p3
  • ISC BIND 9.10.4 Patch 4
    cpe:2.3:a:isc:bind:9.10.4:p4
  • ISC BIND 9.10.4 Patch 5
    cpe:2.3:a:isc:bind:9.10.4:p5
  • ISC BIND 9.10.4 Patch 6
    cpe:2.3:a:isc:bind:9.10.4:p6
  • cpe:2.3:a:isc:bind:9.10.4:p7
    cpe:2.3:a:isc:bind:9.10.4:p7
  • ISC BIND 9.10.5 Beta 1
    cpe:2.3:a:isc:bind:9.10.5:b1
  • ISC BIND 9.10.5 Release Candidate 1
    cpe:2.3:a:isc:bind:9.10.5:rc1
  • cpe:2.3:a:isc:bind:9.10.5:rc2
    cpe:2.3:a:isc:bind:9.10.5:rc2
  • ISC BIND 9.11.0
    cpe:2.3:a:isc:bind:9.11.0
  • ISC BIND 9.11.0 Patch 1
    cpe:2.3:a:isc:bind:9.11.0:p1
  • ISC BIND 9.11.0 Patch 2
    cpe:2.3:a:isc:bind:9.11.0:p2
  • ISC BIND 9.11.0 Patch 3
    cpe:2.3:a:isc:bind:9.11.0:p3
  • cpe:2.3:a:isc:bind:9.11.0:p4
    cpe:2.3:a:isc:bind:9.11.0:p4
  • ISC BIND 9.11.1 Beta 1
    cpe:2.3:a:isc:bind:9.11.1:b1
  • ISC BIND 9.11.1 Release Candidate 1
    cpe:2.3:a:isc:bind:9.11.1:rc1
  • cpe:2.3:a:isc:bind:9.11.1:rc2
    cpe:2.3:a:isc:bind:9.11.1:rc2
  • cpe:2.3:a:netapp:data_ontap_edge
    cpe:2.3:a:netapp:data_ontap_edge
  • cpe:2.3:a:netapp:element_software
    cpe:2.3:a:netapp:element_software
  • cpe:2.3:a:netapp:oncommand_balance
    cpe:2.3:a:netapp:oncommand_balance
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
CVSS
Base: 3.5
Impact:
Exploitability:
CWE CWE-617
CAPEC
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1000-1.NASL
    description This update for bind fixes the following security issues: CVE-2017-3137 (bsc#1033467): Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could have been exploited to cause a denial of service of a bind server performing recursion. CVE-2017-3136 (bsc#1033466): An attacker could have constructed a query that would cause a denial of service of servers configured to use DNS64. CVE-2017-3138 (bsc#1033468): An attacker with access to the BIND control channel could have caused the server to stop by triggering an assertion failure. CVE-2016-6170 (bsc#987866): Primary DNS servers could have caused a denial of service of secondary DNS servers via a large AXFR response. IXFR servers could have caused a denial of service of IXFR clients via a large IXFR response. Remote authenticated users could have caused a denial of service of primary DNS servers via a large UPDATE message. CVE-2016-2775 (bsc#989528): When lwresd or the named lwres option were enabled, bind allowed remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 99358
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99358
    title SUSE SLES11 Security Update : bind (SUSE-SU-2017:1000-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0999-1.NASL
    description This update for bind fixes the following issues: CVE-2017-3137 (bsc#1033467): Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could have been exploited to cause a denial of service of a bind server performing recursion. CVE-2017-3136 (bsc#1033466): An attacker could have constructed a query that would cause a denial of service of servers configured to use DNS64. CVE-2017-3138 (bsc#1033468): An attacker with access to the BIND control channel could have caused the server to stop by triggering an assertion failure. CVE-2016-6170 (bsc#987866): Primary DNS servers could have caused a denial of service of secondary DNS servers via a large AXFR response. IXFR servers could have caused a denial of service of IXFR clients via a large IXFR response. Remote authenticated users could have caused a denial of service of primary DNS servers via a large UPDATE message. CVE-2016-2775 (bsc#989528): When lwresd or the named lwres option were enabled, bind allowed remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 99357
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99357
    title SUSE SLES12 Security Update : bind (SUSE-SU-2017:0999-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0998-1.NASL
    description This update for bind fixes the following issues: CVE-2017-3137 (bsc#1033467): Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could have been exploited to cause a denial of service of a bind server performing recursion. CVE-2017-3136 (bsc#1033466): An attacker could have constructed a query that would cause a denial of service of servers configured to use DNS64. CVE-2017-3138 (bsc#1033468): An attacker with access to the BIND control channel could have caused the server to stop by triggering an assertion failure. CVE-2016-6170 (bsc#987866): Primary DNS servers could have caused a denial of service of secondary DNS servers via a large AXFR response. IXFR servers could have caused a denial of service of IXFR clients via a large IXFR response. Remote authenticated users could have caused a denial of service of primary DNS servers via a large UPDATE message. CVE-2016-2775 (bsc#989528): When lwresd or the named lwres option were enabled, bind allowed remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol. One additional non-security bug was fixed: The default umask was changed to 077. (bsc#1020983) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 99356
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99356
    title SUSE SLED12 / SLES12 Security Update : bind (SUSE-SU-2017:0998-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-491.NASL
    description This update for bind fixes the following issues : CVE-2017-3137 (bsc#1033467): Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could have been exploited to cause a denial of service of a bind server performing recursion. CVE-2017-3136 (bsc#1033466): An attacker could have constructed a query that would cause a denial of service of servers configured to use DNS64. CVE-2017-3138 (bsc#1033468): An attacker with access to the BIND control channel could have caused the server to stop by triggering an assertion failure. CVE-2016-6170 (bsc#987866): Primary DNS servers could have caused a denial of service of secondary DNS servers via a large AXFR response. IXFR servers could have caused a denial of service of IXFR clients via a large IXFR response. Remote authenticated users could have caused a denial of service of primary DNS servers via a large UPDATE message. CVE-2016-2775 (bsc#989528): When lwresd or the named lwres option were enabled, bind allowed remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol. One additional non-security bug was fixed : The default umask was changed to 077. (bsc#1020983) This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 99499
    published 2017-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99499
    title openSUSE Security Update : bind (openSUSE-2017-491)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3854.NASL
    description Several vulnerabilities were discovered in BIND, a DNS server implementation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2017-3136 Oleg Gorokhov of Yandex discovered that BIND does not properly handle certain queries when using DNS64 with the 'break-dnssec yes;' option, allowing a remote attacker to cause a denial-of-service. - CVE-2017-3137 It was discovered that BIND makes incorrect assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records, leading to situations where BIND exits with an assertion failure. An attacker can take advantage of this condition to cause a denial-of-service. - CVE-2017-3138 Mike Lalumiere of Dyn, Inc. discovered that BIND can exit with a REQUIRE assertion failure if it receives a null command string on its control channel. Note that the fix applied in Debian is only applied as a hardening measure. Details about the issue can be found at https://kb.isc.org/article/AA-01471 .
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 100167
    published 2017-05-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100167
    title Debian DSA-3854-1 : bind9 - security update
  • NASL family DNS
    NASL id BIND9_CVE-2017-3138.NASL
    description According to its self-reported version, the instance of ISC BIND 9 running on the remote name server is 9.9.x prior to 9.9.9-P8 or 9.9.9-S10, 9.10.x prior to 9.10.4-P8, or 9.11.x prior to 9.11.0-P5. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists in DNS64 when handling certain queries for synthesized records. An unauthenticated, remote attacker can exploit this, via a specially crafted query, to cause an assertion failure, resulting in DNS64 terminating. Note that issue applies if the server is configured to use DNS64 and if the option 'break-dnssec yes;' is in use. (CVE-2017-3136) - A denial of service vulnerability exists when handling specially crafted responses containing CNAME or DNAME resource records that are ordered in specific ways. An unauthenticated, remote attacker can exploit this, via responses sent in an unusual order, to cause an assertion failure, resulting in the resolver terminating. (CVE-2017-3137) - A denial of service vulnerability exists when handling a NULL command string sent to the named control channel. An authenticated, remote attacker can exploit this to cause an REQUIRE assertion failure, resulting in the named daemon exiting. Note that the BIND control channel is not configured by default. (CVE-2017-3138) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-06-29
    plugin id 99478
    published 2017-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99478
    title ISC BIND 9 < 9.9.9-P8 / 9.9.9-S10 / 9.9.10rc3 / 9.10.4-P8 / 9.10.5rc3 / 9.11.0-P5 / 9.11.1r3 Multiple Vunlerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-F9F909A7B7.NASL
    description Security fix for CVE-2017-3136, CVE-2017-3137 and CVE-2017-3138 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 101751
    published 2017-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101751
    title Fedora 26 : 32:bind (2017-f9f909a7b7)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-EE4B0F53CB.NASL
    description Security fix for CVE-2017-3136, CVE-2017-3137 and CVE-2017-3138 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 99495
    published 2017-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99495
    title Fedora 25 : 32:bind (2017-ee4b0f53cb)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-EDCE28F24B.NASL
    description Security fix for CVE-2017-3136, CVE-2017-3137 and CVE-2017-3138 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 100014
    published 2017-05-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100014
    title Fedora 24 : bind99 (2017-edce28f24b)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-44E494DB1E.NASL
    description Security fix for CVE-2017-3136, CVE-2017-3137 and CVE-2017-3138 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 99488
    published 2017-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99488
    title Fedora 25 : bind99 (2017-44e494db1e)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201708-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-201708-01 (BIND: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in BIND. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could send a specially crafted DNS request to the BIND resolver resulting in a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 102531
    published 2017-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102531
    title GLSA-201708-01 : BIND: Multiple vulnerabilities
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2017-103-01.NASL
    description New bind packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 99378
    published 2017-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99378
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : bind (SSA:2017-103-01)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-A354EFC764.NASL
    description Security fix for CVE-2017-3136, CVE-2017-3137 and CVE-2017-3138 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 101692
    published 2017-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101692
    title Fedora 26 : bind99 (2017-a354efc764)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3259-1.NASL
    description It was discovered that the resolver in Bind made incorrect assumptions about ordering when processing responses containing a CNAME or DNAME. An attacker could use this cause a denial of service. (CVE-2017-3137) Oleg Gorokhov discovered that in some situations, Bind did not properly handle DNS64 queries. An attacker could use this to cause a denial of service. (CVE-2017-3136) Mike Lalumiere discovered that in some situations, Bind did not properly handle invalid operations requested via its control channel. An attacker with access to the control channel could cause a denial of service. (CVE-2017-3138). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 99435
    published 2017-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99435
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : bind9 vulnerabilities (USN-3259-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-0A876B0BA5.NASL
    description Security fix for CVE-2017-3136, CVE-2017-3137 and CVE-2017-3138 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 99605
    published 2017-04-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99605
    title Fedora 24 : 32:bind (2017-0a876b0ba5)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-957.NASL
    description CVE-2017-3136 Oleg Gorokhov of Yandex discovered that BIND does not properly handle certain queries when using DNS64 with the 'break-dnssec yes;' option, allowing a remote attacker to cause a denial of service. CVE-2017-3137 It was discovered that BIND makes incorrect assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records, leading to situations where BIND exits with an assertion failure. An attacker can take advantage of this condition to cause a denial of service. CVE-2017-3138 Mike Lalumiere of Dyn, Inc. discovered that BIND can exit with a REQUIRE assertion failure if it receives a null command string on its control channel. Note that the fix applied in Debian is only applied as a hardening measure. Details about the issue can be found at https://kb.isc.org/article/AA-01471 . For Debian 7 'Wheezy', these problems have been fixed in version 1:9.8.4.dfsg.P1-6+nmu2+deb7u16. We recommend that you upgrade your bind9 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 100477
    published 2017-05-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100477
    title Debian DLA-957-1 : bind9 security update
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_C68614941FFB11E7934DD05099C0AE8C.NASL
    description ISC reports : A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order. named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 99325
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99325
    title FreeBSD : BIND -- multiple vulnerabilities (c6861494-1ffb-11e7-934d-d05099c0ae8c)
refmap via4
bid 97657
confirm
debian DSA-3854
gentoo GLSA-201708-01
sectrack 1038260
Last major update 16-01-2019 - 15:29
Published 16-01-2019 - 15:29
Last modified 09-10-2019 - 19:27
Back to Top