CVE-2017-3142 and CVE-2017-3143 -- TSIG-related BIND vulnerabilities

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

CVE-2017-3142 and CVE-2017-3143 -- TSIG-related BIND vulnerabilities

Michael McNally
Today ISC announced two significant BIND vulnerabilities (via our
bind-announce list --

They are CVE-2017-3142 and CVE-2017-3143 and both are related to
errors in our TSIG support.  These are unusual CVEs for BIND --
many of the vulnerabilities we disclose are denial-of-service
vectors which affect server availability but can easily be
partly or completely mitigated by running BIND with a watchdog
process.  Atypically, these new vulnerabilities have, respectively,
a confidentiality impact (for CVE-2017-3142, which potentially
permits unauthorized zone transfer) and a data integrity impact
(CVE-2017-3143, which under some circumstances can permit an
attacker to cause the server to accept a forged DDNS update.)

New versions of BIND have been released and are available from
ISC's web site:

Details on the vulnerabilities are available via the ISC Knowledge Base:

Please take these bugs seriously and act promptly to safeguard
your servers if you rely on TSIG authentication for zone transfers
or DDNS.

Michael McNally
ISC Support
Please visit to unsubscribe from this list

bind-users mailing list
[hidden email]