SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |   



Category:   Application (Generic)  >   BIND Vendors:   ISC (Internet Software Consortium)
BIND Null Command String Processing Lets Remote Users on Authorized Hosts Cause the Target Service to Crash
SecurityTracker Alert ID:  1038260
SecurityTracker URL:  https://securitytracker.com/id/1038260
CVE Reference:   CVE-2017-3138   (Links to External Site)
Date:  Apr 13 2017
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.9.9 - 9.9.9-P7, 9.9.10b1 - 9.9.10rc2, 9.10.4 - 9.10.4-P7, 9.10.5b1 - 9.10.5rc2, 9.11.0 - 9.11.0-P4, 9.11.1b1 - 9.11.1rc2, 9.9.9-S1 - 9.9.9-S9
Description:   A vulnerability was reported in BIND. A remote user can cause the target service to crash.

A remote user that is permitted via the access control list (ACL) to access the control channel can send a specially crafted null command string to cause the target 'named' service to crash.

Systems configured to allow "read only" control channel commands are also affected.

Mike Lalumiere of Dyn, Inc. reported this vulnerability.

Impact:   A remote user on a host authorized by ACL can cause the target service to crash.
Solution:   The vendor has issued a fix (9.9.9-P8, 9.10.4-P8, 9.11.0-P5).

The vendor advisory is available at:

https://kb.isc.org/article/AA-01471

Vendor URL:  kb.isc.org/article/AA-01471 (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 21 2017 (Ubuntu Issues Fix) BIND Null Command String Processing Lets Remote Users on Authorized Hosts Cause the Target Service to Crash
Ubuntu has issued a fix for Ubuntu Linux 12.04 LTS, 14.04 LTS, 16.04 LTS, 16.10, and 17.04.
Jul 19 2018 (Juniper Issues Fix for Juniper Junos) BIND Null Command String Processing Lets Remote Users on Authorized Hosts Cause the Target Service to Crash
Juniper has issued a fix for Juniper Junos for SRX Series devices.



 Source Message Contents

Subject:  CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel


[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search


Content previously copyright SecurityGlobal.net LLC placed in the public domain on December 31, 2019.