#VU7227 Assertion failure in ISC BIND - CVE-2017-3137


| Updated: 2018-11-28

Vulnerability identifier: #VU7227

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-3137

CWE-ID: CWE-617

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ISC BIND
Server applications / DNS servers

Vendor: ISC

Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when processing query response containing CNAME or DNAME resource records in an unusual order in BIND. A remote attacker can trigger assertion failure and crash BIND application.

Mitigation
The vulnerability has been addressed in the versions 9.9.9-P8, 9.10.4-P8, 9.11.0-P5.

Vulnerable software versions

ISC BIND: 9.9.9-P1 - 9.11.0

External links
https://kb.isc.org/docs/aa-01466

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell EMC Unisphere Central
Gentoo update for BIND
Red Hat Linux update for bind
Red Hat Linux update for bind
Debian update for bind9
Arch Linux update for bind
Amazon Linux AMI update for bind
Assertion failure in bind (Alpine package)
Red Hat update for bind
OpenSUSE Linux update for bind