#VU16151 Assertion failure in ISC BIND - CVE-2017-3138


Vulnerability identifier: #VU16151

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-3138

CWE-ID: CWE-617

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ISC BIND
Server applications / DNS servers

Vendor: ISC

Description
The vulnerability allows a remote authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc.. A remote attacker can send some versions of named a null command string, trigger a REQUIRE assertion failure and cause the service to crash.

Mitigation
The vulnerability has been addressed in the versions 9.9.9-P8, 9.10.4-P8, 9.11.0-P5.

Vulnerable software versions

ISC BIND: 9.9.9-P1 - 9.11.0

External links
https://kb.isc.org/docs/aa-01471

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell EMC Unisphere Central
Gentoo update for BIND
Debian update for bind9
Arch Linux update for bind
Assertion failure in bind (Alpine package)
OpenSUSE Linux update for bind
Slackware Linux update for bind
SUSE Linux update for bind
SUSE Linux update for bind