[dns-operations] CVE-2017-3142 and CVE-2017-3143 -- TSIG-related BIND vulnerabilities

Michael McNally mcnally at isc.org
Thu Jun 29 21:26:41 UTC 2017

Today ISC announced two significant BIND vulnerabilities (via our
bind-announce list -- https://lists.isc.org/mailman/listinfo/bind-announce)

They are CVE-2017-3142 and CVE-2017-3143 and both are related to
errors in our TSIG support.  These are unusual CVEs for BIND --
many of the vulnerabilities we disclose are denial-of-service
vectors which affect server availability but can easily be
partly or completely mitigated by running BIND with a watchdog
process.  Atypically, these new vulnerabilities have, respectively,
a confidentiality impact (for CVE-2017-3142, which potentially
permits unauthorized zone transfer) and a data integrity impact
(CVE-2017-3143, which under some circumstances can permit an
attacker to cause the server to accept a forged DDNS update.)

New versions of BIND have been released and are available from
ISC's web site:  http://www.isc.org/downloads

Details on the vulnerabilities are available via the ISC Knowledge Base:

Please take these bugs seriously and act promptly to safeguard
your servers if you rely on TSIG authentication for zone transfers
or DDNS.

Michael McNally
ISC Support

More information about the dns-operations mailing list