cnvd - cnvd-2017-04458

cnvd-2017-04458

Vulnerability from cnvd

Title: ISC BIND 9名称服务器拒绝服务漏洞

Description:

ISC BIND是美国Internet Systems Consortium（ISC）公司所维护的一套实现了DNS协议的开源软件。

ISC BIND 9名称服务器存在拒绝服务漏洞，攻击者可利用该漏洞通过在其控制信道上发送空命令使BIND名称服务器流程退出。然而，仅能通过可接入控制信道的主机远程利用该漏洞。

Severity: 中

Formal description:

厂商尚未提供漏洞修补方案，请关注厂商主页及时更新： https://www.us-cert.gov/ncas/current-activity/2017/04/12/ISC-Releases-Security-Updates-BIND

Reference: https://www.us-cert.gov/ncas/current-activity/2017/04/12/ISC-Releases-Security-Updates-BIND

Impacted products

Name
['ISC BIND 9 9.9.9-P8', 'ISC BIND 9 9.10.4-P8', 'ISC BIND 9 9.11.0-P5', 'ISC BIND 9 9.9.9-S10']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-3138"
    }
  },
  "description": "ISC BIND\u662f\u7f8e\u56fdInternet Systems Consortium\uff08ISC\uff09\u516c\u53f8\u6240\u7ef4\u62a4\u7684\u4e00\u5957\u5b9e\u73b0\u4e86DNS\u534f\u8bae\u7684\u5f00\u6e90\u8f6f\u4ef6\u3002\r\n\r\nISC BIND 9\u540d\u79f0\u670d\u52a1\u5668\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u5728\u5176\u63a7\u5236\u4fe1\u9053\u4e0a\u53d1\u9001\u7a7a\u547d\u4ee4\u4f7fBIND\u540d\u79f0\u670d\u52a1\u5668\u6d41\u7a0b\u9000\u51fa\u3002\u7136\u800c\uff0c\u4ec5\u80fd\u901a\u8fc7\u53ef\u63a5\u5165\u63a7\u5236\u4fe1\u9053\u7684\u4e3b\u673a\u8fdc\u7a0b\u5229\u7528\u8be5\u6f0f\u6d1e\u3002",
  "discovererName": "Oana Murarasu",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u8865\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u53ca\u65f6\u66f4\u65b0\uff1a\r\nhttps://www.us-cert.gov/ncas/current-activity/2017/04/12/ISC-Releases-Security-Updates-BIND",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-04458",
  "openTime": "2017-04-14",
  "products": {
    "product": [
      "ISC BIND 9 9.9.9-P8",
      "ISC BIND 9 9.10.4-P8",
      "ISC BIND 9 9.11.0-P5",
      "ISC BIND 9 9.9.9-S10"
    ]
  },
  "referenceLink": "https://www.us-cert.gov/ncas/current-activity/2017/04/12/ISC-Releases-Security-Updates-BIND",
  "serverity": "\u4e2d",
  "submitTime": "2017-04-14",
  "title": "ISC BIND 9\u540d\u79f0\u670d\u52a1\u5668\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

CVE-2017-3138 (GCVE-0-2017-3138)

Vulnerability from cvelistv5

Published

2019-01-16 20:00

Modified

2024-09-16 22:40

Severity ?

6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

The BIND control channel is not configured by default, but when configured will accept commands from those IP addresses that are specified in its access control list and/or from clients which present the proper transaction key. Using this defect, an attacker can cause a running server to stop if they can get it to accept control channel input from them. In most instances this is not as bad as it sounds, because existing commands permitted over the control channel (i.e. "rndc stop") can already be given to cause the server to stop. However, BIND 9.11.0 introduced a new option to allow "read only" commands over the command channel. Using this restriction, a server can be configured to limit specified clients to giving control channel commands which return information only (e.g. "rndc status") without affecting the operational state of the server. The defect described in this advisory, however, is not properly stopped by the "read only" restriction, in essence permitting a privilege escalation allowing a client which should only be permitted the limited set of "read only" operations to cause the server to stop execution.

Summary

named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9.

References

▼	URL	Tags
	http://www.securitytracker.com/id/1038260	vdb-entry, x_refsource_SECTRACK
	http://www.securityfocus.com/bid/97657	vdb-entry, x_refsource_BID
	https://security.gentoo.org/glsa/201708-01	vendor-advisory, x_refsource_GENTOO
	https://security.netapp.com/advisory/ntap-20180802-0002/	x_refsource_CONFIRM
	https://www.debian.org/security/2017/dsa-3854	vendor-advisory, x_refsource_DEBIAN
	https://kb.isc.org/docs/aa-01471	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	ISC	BIND 9	Version: 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:16:28.221Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1038260",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038260"
          },
          {
            "name": "97657",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97657"
          },
          {
            "name": "GLSA-201708-01",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201708-01"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20180802-0002/"
          },
          {
            "name": "DSA-3854",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2017/dsa-3854"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kb.isc.org/docs/aa-01471"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "BIND 9",
          "vendor": "ISC",
          "versions": [
            {
              "status": "affected",
              "version": "9.9.9-\u003e9.9.9-P7, 9.9.10b1-\u003e9.9.10rc2, 9.10.4-\u003e9.10.4-P7, 9.10.5b1-\u003e9.10.5rc2, 9.11.0-\u003e9.11.0-P4, 9.11.1b1-\u003e9.11.1rc2, 9.9.9-S1-\u003e9.9.9-S9"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Mike Lalumiere of Dyn, Inc., for bringing this issue to our attention."
        }
      ],
      "datePublic": "2017-03-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9-\u003e9.9.9-P7, 9.9.10b1-\u003e9.9.10rc2, 9.10.4-\u003e9.10.4-P7, 9.10.5b1-\u003e9.10.5rc2, 9.11.0-\u003e9.11.0-P4, 9.11.1b1-\u003e9.11.1rc2, 9.9.9-S1-\u003e9.9.9-S9."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "The BIND control channel is not configured by default, but when configured will accept commands from those IP addresses that are specified in its access control list and/or from clients which present the proper transaction key.  Using this defect, an attacker can cause a running server to stop if they can get it to accept control channel input from them.  In most instances this is not as bad as it sounds, because existing commands permitted over the control channel (i.e. \"rndc stop\") can already be given to cause the server to stop.\n\nHowever, BIND 9.11.0 introduced a new option to allow \"read only\" commands over the command channel.  Using this restriction, a server can be configured to limit specified clients to giving control channel commands which return information only (e.g. \"rndc status\") without affecting the operational state of the server.  The defect described in this advisory, however, is not properly stopped by the \"read only\" restriction, in essence permitting a privilege escalation allowing a client which should only be permitted the limited set of \"read only\" operations to cause the server to stop execution.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-01-17T10:57:01",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "name": "1038260",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038260"
        },
        {
          "name": "97657",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97657"
        },
        {
          "name": "GLSA-201708-01",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201708-01"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20180802-0002/"
        },
        {
          "name": "DSA-3854",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2017/dsa-3854"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kb.isc.org/docs/aa-01471"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads.\n\n    BIND 9 version 9.9.9-P8\n    BIND 9 version 9.10.4-P8\n    BIND 9 version 9.11.0-P5\n\nBIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.\n\n    BIND 9 version 9.9.9-S10\n\nNew maintenance releases of BIND are also scheduled which contain the fix for this vulnerability.  In addition to the security releases listed above, fixes for this vulnerability are also included in these release candidate versions:\n\n    BIND 9 version 9.9.10rc3\n    BIND 9 version 9.10.5rc3\n    BIND 9 version 9.11.1rc3"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "named exits with a REQUIRE assertion failure if it receives a null command string on its control channel",
      "workarounds": [
        {
          "lang": "en",
          "value": "None.  However, in a properly configured server, access to the control channel should already be limited by either network ACLs, TSIG keys, or both."
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-officer@isc.org",
          "DATE_PUBLIC": "2017-03-12T00:00:00.000Z",
          "ID": "CVE-2017-3138",
          "STATE": "PUBLIC",
          "TITLE": "named exits with a REQUIRE assertion failure if it receives a null command string on its control channel"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "BIND 9",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "9.9.9-\u003e9.9.9-P7, 9.9.10b1-\u003e9.9.10rc2, 9.10.4-\u003e9.10.4-P7, 9.10.5b1-\u003e9.10.5rc2, 9.11.0-\u003e9.11.0-P4, 9.11.1b1-\u003e9.11.1rc2, 9.9.9-S1-\u003e9.9.9-S9"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ISC"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "ISC would like to thank Mike Lalumiere of Dyn, Inc., for bringing this issue to our attention."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9-\u003e9.9.9-P7, 9.9.10b1-\u003e9.9.10rc2, 9.10.4-\u003e9.10.4-P7, 9.10.5b1-\u003e9.10.5rc2, 9.11.0-\u003e9.11.0-P4, 9.11.1b1-\u003e9.11.1rc2, 9.9.9-S1-\u003e9.9.9-S9."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "The BIND control channel is not configured by default, but when configured will accept commands from those IP addresses that are specified in its access control list and/or from clients which present the proper transaction key.  Using this defect, an attacker can cause a running server to stop if they can get it to accept control channel input from them.  In most instances this is not as bad as it sounds, because existing commands permitted over the control channel (i.e. \"rndc stop\") can already be given to cause the server to stop.\n\nHowever, BIND 9.11.0 introduced a new option to allow \"read only\" commands over the command channel.  Using this restriction, a server can be configured to limit specified clients to giving control channel commands which return information only (e.g. \"rndc status\") without affecting the operational state of the server.  The defect described in this advisory, however, is not properly stopped by the \"read only\" restriction, in essence permitting a privilege escalation allowing a client which should only be permitted the limited set of \"read only\" operations to cause the server to stop execution."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1038260",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038260"
            },
            {
              "name": "97657",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97657"
            },
            {
              "name": "GLSA-201708-01",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201708-01"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20180802-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20180802-0002/"
            },
            {
              "name": "DSA-3854",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2017/dsa-3854"
            },
            {
              "name": "https://kb.isc.org/docs/aa-01471",
              "refsource": "CONFIRM",
              "url": "https://kb.isc.org/docs/aa-01471"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads.\n\n    BIND 9 version 9.9.9-P8\n    BIND 9 version 9.10.4-P8\n    BIND 9 version 9.11.0-P5\n\nBIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.\n\n    BIND 9 version 9.9.9-S10\n\nNew maintenance releases of BIND are also scheduled which contain the fix for this vulnerability.  In addition to the security releases listed above, fixes for this vulnerability are also included in these release candidate versions:\n\n    BIND 9 version 9.9.10rc3\n    BIND 9 version 9.10.5rc3\n    BIND 9 version 9.11.1rc3"
          }
        ],
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "None.  However, in a properly configured server, access to the control channel should already be limited by either network ACLs, TSIG keys, or both."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2017-3138",
    "datePublished": "2019-01-16T20:00:00Z",
    "dateReserved": "2016-12-02T00:00:00",
    "dateUpdated": "2024-09-16T22:40:54.323Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted