[dns-operations] CVE-2017-3142 and CVE-2017-3143 -- TSIG-related BIND vulnerabilities
Michael McNally
mcnally at isc.org
Thu Jun 29 21:26:41 UTC 2017
Today ISC announced two significant BIND vulnerabilities (via our
bind-announce list -- https://lists.isc.org/mailman/listinfo/bind-announce)
They are CVE-2017-3142 and CVE-2017-3143 and both are related to
errors in our TSIG support. These are unusual CVEs for BIND --
many of the vulnerabilities we disclose are denial-of-service
vectors which affect server availability but can easily be
partly or completely mitigated by running BIND with a watchdog
process. Atypically, these new vulnerabilities have, respectively,
a confidentiality impact (for CVE-2017-3142, which potentially
permits unauthorized zone transfer) and a data integrity impact
(CVE-2017-3143, which under some circumstances can permit an
attacker to cause the server to accept a forged DDNS update.)
New versions of BIND have been released and are available from
ISC's web site: http://www.isc.org/downloads
Details on the vulnerabilities are available via the ISC Knowledge Base:
https://kb.isc.org/category/74/0/10/Software-Products/BIND9/Security-Advisories/
Please take these bugs seriously and act promptly to safeguard
your servers if you rely on TSIG authentication for zone transfers
or DDNS.
Michael McNally
ISC Support
More information about the dns-operations
mailing list