certfr_avis - certfr-2017-avi-199

CERTFR-2017-AVI-199

Vulnerability from certfr_avis

Une vulnérabilité a été corrigée dans ISC BIND. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
ISC	BIND	BIND 9 versions 9.9.3-S1 à 9.9.10-S2
ISC	BIND	BIND 9 versions 9.9.0 à 9.9.10-P1
ISC	BIND	BIND 9 versions 9.10.5-S1 à 9.10.5-S2
ISC	BIND	BIND 9 versions 9.10.0 à 9.10.5-P1
ISC	BIND	BIND 9 versions 9.11.0 à 9.11.1-P1
ISC	BIND	BIND 9 versions 9.4.0 à 9.8.8

References

Title

Publication Time

CVE-2017-3143 (GCVE-0-2017-3143)

Vulnerability from cvelistv5

Published

2019-01-16 20:00

Modified

2024-09-16 16:14

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

A server that relies solely on TSIG keys with no other address-based ACL protection could be vulnerable to malicious zone content manipulation using this technique. Note that the local update policy (configured with "update-policy local;" in named.conf) implicitly defines a key with a known key name (local-ddns) and default algorithm and no IP-based access controls on the zone updates. In conjunction with this failure in TSIG verification, "update-policy local" is potentially very dangerous.

Summary

An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. Affects BIND 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2.

References

URL

Tags

	https://kb.isc.org/docs/aa-01503	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2017:1680	vendor-advisory, x_refsource_REDHAT
	https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03772en_us	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2017:1679	vendor-advisory, x_refsource_REDHAT
	http://www.securitytracker.com/id/1038809	vdb-entry, x_refsource_SECTRACK
	https://www.debian.org/security/2017/dsa-3904	vendor-advisory, x_refsource_DEBIAN
	http://www.securityfocus.com/bid/99337	vdb-entry, x_refsource_BID
	https://security.netapp.com/advisory/ntap-20190830-0003/	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	ISC	BIND 9	Version: 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:16:28.265Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kb.isc.org/docs/aa-01503"
          },
          {
            "name": "RHSA-2017:1680",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:1680"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03772en_us"
          },
          {
            "name": "RHSA-2017:1679",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:1679"
          },
          {
            "name": "1038809",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038809"
          },
          {
            "name": "DSA-3904",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2017/dsa-3904"
          },
          {
            "name": "99337",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/99337"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190830-0003/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "BIND 9",
          "vendor": "ISC",
          "versions": [
            {
              "status": "affected",
              "version": "9.4.0-\u003e9.8.8, 9.9.0-\u003e9.9.10-P1, 9.10.0-\u003e9.10.5-P1, 9.11.0-\u003e9.11.1-P1, 9.9.3-S1-\u003e9.9.10-S2, 9.10.5-S1-\u003e9.10.5-S2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Cl\u00e9ment Berthaux from Synacktiv for reporting this issue."
        }
      ],
      "datePublic": "2017-06-29T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. Affects BIND 9.4.0-\u003e9.8.8, 9.9.0-\u003e9.9.10-P1, 9.10.0-\u003e9.10.5-P1, 9.11.0-\u003e9.11.1-P1, 9.9.3-S1-\u003e9.9.10-S2, 9.10.5-S1-\u003e9.10.5-S2."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "A server that relies solely on TSIG keys with no other address-based ACL protection could be vulnerable to malicious zone content manipulation using this technique.\n\nNote that the local update policy (configured with \"update-policy local;\" in named.conf) implicitly defines a key with a known key name (local-ddns) and default algorithm and no IP-based access controls on the zone updates.  In conjunction with this failure in TSIG verification, \"update-policy local\" is potentially very dangerous.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-08-30T16:06:09",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kb.isc.org/docs/aa-01503"
        },
        {
          "name": "RHSA-2017:1680",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:1680"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03772en_us"
        },
        {
          "name": "RHSA-2017:1679",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:1679"
        },
        {
          "name": "1038809",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038809"
        },
        {
          "name": "DSA-3904",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2017/dsa-3904"
        },
        {
          "name": "99337",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/99337"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190830-0003/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads.\n\n    BIND 9 version 9.9.10-P2\n    BIND 9 version 9.10.5-P2\n    BIND 9 version 9.11.1-P2\n\nBIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.\n\n    BIND 9 version 9.9.10-S3\n    BIND 9 version 9.10.5-S3"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "An error in TSIG authentication can permit unauthorized dynamic updates",
      "workarounds": [
        {
          "lang": "en",
          "value": "The effects of this vulnerability can be mitigated by using Access Control Lists (ACLs) that require both address range validation and use of TSIG authentication in conjunction.  For information on how to configure this type of compound authentication control, please see: https://kb.isc.org/article/AA-00723/0/Using-Access-Control-Lists-ACLs-with-both-addresses-and-keys.html.\n\nAdministrators who have made use of named.conf option \"update-policy local;\" should patch their servers as soon as possible and if this is not possible should replace the update-policy configuration statement with an allow-update statement implementing the key requirement for updates but additionally imposing an IP ACL limitation, e.g.:\n\nallow-update { !{ !localhost; }; key local-ddns; };"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-officer@isc.org",
          "DATE_PUBLIC": "2017-06-29T00:00:00.000Z",
          "ID": "CVE-2017-3143",
          "STATE": "PUBLIC",
          "TITLE": "An error in TSIG authentication can permit unauthorized dynamic updates"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "BIND 9",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "9.4.0-\u003e9.8.8, 9.9.0-\u003e9.9.10-P1, 9.10.0-\u003e9.10.5-P1, 9.11.0-\u003e9.11.1-P1, 9.9.3-S1-\u003e9.9.10-S2, 9.10.5-S1-\u003e9.10.5-S2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ISC"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "ISC would like to thank Cl\u00e9ment Berthaux from Synacktiv for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. Affects BIND 9.4.0-\u003e9.8.8, 9.9.0-\u003e9.9.10-P1, 9.10.0-\u003e9.10.5-P1, 9.11.0-\u003e9.11.1-P1, 9.9.3-S1-\u003e9.9.10-S2, 9.10.5-S1-\u003e9.10.5-S2."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "A server that relies solely on TSIG keys with no other address-based ACL protection could be vulnerable to malicious zone content manipulation using this technique.\n\nNote that the local update policy (configured with \"update-policy local;\" in named.conf) implicitly defines a key with a known key name (local-ddns) and default algorithm and no IP-based access controls on the zone updates.  In conjunction with this failure in TSIG verification, \"update-policy local\" is potentially very dangerous."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kb.isc.org/docs/aa-01503",
              "refsource": "CONFIRM",
              "url": "https://kb.isc.org/docs/aa-01503"
            },
            {
              "name": "RHSA-2017:1680",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:1680"
            },
            {
              "name": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03772en_us",
              "refsource": "CONFIRM",
              "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03772en_us"
            },
            {
              "name": "RHSA-2017:1679",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:1679"
            },
            {
              "name": "1038809",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038809"
            },
            {
              "name": "DSA-3904",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2017/dsa-3904"
            },
            {
              "name": "99337",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/99337"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190830-0003/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190830-0003/"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads.\n\n    BIND 9 version 9.9.10-P2\n    BIND 9 version 9.10.5-P2\n    BIND 9 version 9.11.1-P2\n\nBIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.\n\n    BIND 9 version 9.9.10-S3\n    BIND 9 version 9.10.5-S3"
          }
        ],
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "The effects of this vulnerability can be mitigated by using Access Control Lists (ACLs) that require both address range validation and use of TSIG authentication in conjunction.  For information on how to configure this type of compound authentication control, please see: https://kb.isc.org/article/AA-00723/0/Using-Access-Control-Lists-ACLs-with-both-addresses-and-keys.html.\n\nAdministrators who have made use of named.conf option \"update-policy local;\" should patch their servers as soon as possible and if this is not possible should replace the update-policy configuration statement with an allow-update statement implementing the key requirement for updates but additionally imposing an IP ACL limitation, e.g.:\n\nallow-update { !{ !localhost; }; key local-ddns; };"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2017-3143",
    "datePublished": "2019-01-16T20:00:00Z",
    "dateReserved": "2016-12-02T00:00:00",
    "dateUpdated": "2024-09-16T16:14:21.796Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted