Lucene search

K
archlinuxArchLinuxASA-201707-3
HistoryJul 04, 2017 - 12:00 a.m.

[ASA-201707-3] bind: access restriction bypass

2017-07-0400:00:00
security.archlinux.org
20

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.055

Percentile

93.4%

Arch Linux Security Advisory ASA-201707-3

Severity: High
Date : 2017-07-04
CVE-ID : CVE-2017-3142 CVE-2017-3143
Package : bind
Type : access restriction bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-335

Summary

The package bind before version 9.11.1.P2-1 is vulnerable to access
restriction bypass.

Resolution

Upgrade to 9.11.1.P2-1.

pacman -Syu “bind>=9.11.1.P2-1”

The problems have been fixed upstream in version 9.11.1.P2.

Workaround

None.

Description

  • CVE-2017-3142 (access restriction bypass)

An error in TSIG authentication has been found in Bind <= 9.11.1-P1,
allowing a remote attacker to bypass authentication in order to perform
unauthorized zone transfers or forge NOTIFY packets. The attacker needs
to have knowledge of the key name, and should be allowed by the other
ACL restrictions if any.

  • CVE-2017-3143 (access restriction bypass)

An error in TSIG authentication has been found in Bind <= 9.11.1-P1,
allowing a remote attacker to bypass authentication in order to perform
unauthorized zone updates, altering the content of the zone. The
attacker needs to have knowledge of the key name, and should be allowed
by the other ACL restrictions if any.

Impact

A remote attacker can bypass authentication in order to retrieve or
update the content of a zone.

References

https://kb.isc.org/article/AA-01504/74/CVE-2017-3142%3A-An-error-in-TSIG-authentication-can-permit-unauthorized-zone-transfers.html
https://kb.isc.org/article/AA-01503/74/CVE-2017-3143%3A-An-error-in-TSIG-authentication-can-permit-unauthorized-dynamic-updates.html
https://security.archlinux.org/CVE-2017-3142
https://security.archlinux.org/CVE-2017-3143

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanybind< 9.11.1.P2-1UNKNOWN

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.055

Percentile

93.4%