| VID |
19072 |
| Severity |
40 |
| Port |
53 |
| Protocol |
UDP |
| Class |
DNS |
| Detailed Description |
ISC BIND (Berkeley Internet Name Daemon) is a server utility that implements the DNS (domain name service) protocol. It is widely used on the Internet.
According to its self-reported version, the instance of ISC BIND 9 running on the remote name server is 9.10.x prior to 9.10.5-S3. It is, therefore, affected by multiple vulnerabilities :
- A flaw exists in the Transaction Signature (TSIG) authentication implementation when handling received messages. An unauthenticated, remote attacker can exploit this, via a specially crafted request packet, to circumvent TSIG authentication of AXFR requests. Note that to exploit this issue the attacker must be able to send and receive messages to an authoritative DNS server and have knowledge of a valid TSIG key name. (CVE-2017-3142)
- A flaw exists in the Transaction Signature (TSIG) authentication implementation when handling messages. An unauthenticated, remote attacker can exploit this to manipulate BIND into accepting an unauthorized dynamic update. Note that to exploit this issue the attacker must be able to send and receive messages to an authoritative DNS server and have knowledge of a valid TSIG key name for the zone and service being targeted. (CVE-2017-3143)
* References:
https://kb.isc.org/article/AA-01503
https://kb.isc.org/article/AA-01504
https://kb.isc.org/article/AA-01505
https://kb.isc.org/article/AA-01506
https://kb.isc.org/article/AA-01507
https://kb.isc.org/article/AA-01508
https://kb.isc.org/article/AA-01509 |
| Recommendation |
Upgrade to the latest version of BIND (9.10.5-S3 or later), available from the Internet Software Consortium (ISC) Web site at http://www.isc.org/downloads/BIND/ |
| Related URL |
CVE-2017-3142,CVE-2017-3143 (CVE) |
| Related URL |
99337,99339 (SecurityFocus) |
| Related URL |
(ISS) |
|
