CVE-2017-3142 and CVE-2017-3143 -- TSIG-related BIND vulnerabilities

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CVE-2017-3142 and CVE-2017-3143 -- TSIG-related BIND vulnerabilities

Michael McNally
Today ISC announced two significant BIND vulnerabilities (via our
bind-announce list -- https://lists.isc.org/mailman/listinfo/bind-announce)

They are CVE-2017-3142 and CVE-2017-3143 and both are related to
errors in our TSIG support.  These are unusual CVEs for BIND --
many of the vulnerabilities we disclose are denial-of-service
vectors which affect server availability but can easily be
partly or completely mitigated by running BIND with a watchdog
process.  Atypically, these new vulnerabilities have, respectively,
a confidentiality impact (for CVE-2017-3142, which potentially
permits unauthorized zone transfer) and a data integrity impact
(CVE-2017-3143, which under some circumstances can permit an
attacker to cause the server to accept a forged DDNS update.)

New versions of BIND have been released and are available from
ISC's web site:  http://www.isc.org/downloads

Details on the vulnerabilities are available via the ISC Knowledge Base:
https://kb.isc.org/category/74/0/10/Software-Products/BIND9/Security-Advisories/

Please take these bugs seriously and act promptly to safeguard
your servers if you rely on TSIG authentication for zone transfers
or DDNS.


Michael McNally
ISC Support
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Loading...