VID |
19070 |
Severity |
40 |
Port |
53 |
Protocol |
UDP |
Class |
DNS |
Detailed Description |
ISC BIND (Berkeley Internet Name Daemon) is a server utility that implements the DNS (domain name service) protocol. It is widely used on the Internet. According to its self-reported version, the instance of ISC BIND 9 running on the remote name server is 9.9.x prior to 9.9.10-S3. It is, therefore, affected by multiple vulnerabilities :
- A flaw exists in the Transaction Signature (TSIG) authentication implementation when handling received messages. An unauthenticated, remote attacker can exploit this, via a specially crafted request packet, to circumvent TSIG authentication of AXFR requests. Note that to exploit this issue the attacker must be able to send and receive messages to an authoritative DNS server and have knowledge of a valid TSIG key name. (CVE-2017-3142)
- A flaw exists in the Transaction Signature (TSIG) authentication implementation when handling messages. An unauthenticated, remote attacker can exploit this to manipulate BIND into accepting an unauthorized dynamic update. Note that to exploit this issue the attacker must be able to send and receive messages to an authoritative DNS server and have knowledge of a valid TSIG key name for the zone and service being targeted. (CVE-2017-3143)
* References: https://kb.isc.org/article/AA-01503 https://kb.isc.org/article/AA-01504 https://kb.isc.org/article/AA-01505 https://kb.isc.org/article/AA-01506 https://kb.isc.org/article/AA-01507 https://kb.isc.org/article/AA-01508 https://kb.isc.org/article/AA-01509 |
Recommendation |
Upgrade to the latest version of BIND (9.9.10-S3 or later), available from the Internet Software Consortium (ISC) Web site at http://www.isc.org/downloads/BIND/ |
Related URL |
CVE-2017-3142,CVE-2017-3143 (CVE) |
Related URL |
99337,99339 (SecurityFocus) |
Related URL |
(ISS) |
|