Security Alert (A17-06-04): Multiple Vulnerabilities in ISC BIND


 

Published on: 16 June 2017

  
  

Description:

Multiple vulnerabilities were found in the ISC BIND software. A remote attacker could send a specially crafted query to trigger an error in processing Response Policy Zones (RPZ) rules and cause an endless loop and repeatedly query the same sets of authoritative nameservers. In addition, a local attacker could obtain elevated privilege by exploiting an unquoted service path in the BIND installer on Windows-based systems.

 

Affected Systems:

  • BIND 9.2.6-P2 to 9.2.9
  • BIND 9.3.2-P1 to 9.3.6
  • BIND 9.4.0 to 9.8.8
  • BIND 9.9.0 to 9.9.10
  • BIND 9.9.3-S1 to 9.9.10-S1
  • BIND 9.10.0 to 9.10.5
  • BIND 9.10.5-S1
  • BIND 9.11.0 to 9.11.1

 

Impact:

Successful exploitation could lead to a denial of service (DoS) condition and privilege escalation on an affected system.

 

Recommendation:

Internet Systems Consortium (ISC) has released the following patches to solve the problems:

  • BIND 9 version 9.9.10-P1
  • BIND 9 version 9.10.5-P1
  • BIND 9 version 9.11.1-P1
  • BIND 9 version 9.9.10-S2
  • BIND 9 version 9.10.5-S2

http://www.isc.org/downloads/

Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

 

More Information:

https://kb.isc.org/article/AA-01495
https://kb.isc.org/article/AA-01496
https://www.us-cert.gov/ncas/current-activity/2017/06/15/ISC-Releases-Security-Updates-BIND
https://www.hkcert.org/my_url/en/alert/17061601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3140
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3141 



Tag: BIND , ISC
Tags