ISC BIND 9 < 9.9.10-P2 / 9.9.10-S3 / 9.10.5-P2 / 9.10.5-S3 / 9.11.1-P2 Multiple Vulnerabilities

2017-07-05T00:00:00
ID BIND9_CVE-2017-3143.NASL
Type nessus
Reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-02-02T00:00:00

Description

According to its self-reported version, the instance of ISC BIND 9 running on the remote name server is 9.9.x prior to 9.9.10-P2 or 9.9.10-S3, 9.10.x prior to 9.10.5-P2 or 9.10.5-S3, or 9.11.x prior to 9.11.1-P2. It is, therefore, affected by multiple vulnerabilities :

  • A flaw exists in the Transaction Signature (TSIG) authentication implementation when handling received messages. An unauthenticated, remote attacker can exploit this, via a specially crafted request packet, to circumvent TSIG authentication of AXFR requests. Note that to exploit this issue the attacker must be able to send and receive messages to an authoritative DNS server and have knowledge of a valid TSIG key name. (CVE-2017-3142)

  • A flaw exists in the Transaction Signature (TSIG) authentication implementation when handling messages. An unauthenticated, remote attacker can exploit this to manipulate BIND into accepting an unauthorized dynamic update. Note that to exploit this issue the attacker must be able to send and receive messages to an authoritative DNS server and have knowledge of a valid TSIG key name for the zone and service being targeted. (CVE-2017-3143)

Note that Nessus has not tested for these issues but has instead relied only on the application

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(101232);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/12");

  script_cve_id("CVE-2017-3142", "CVE-2017-3143");
  script_bugtraq_id(99337, 99339);

  script_name(english:"ISC BIND 9 < 9.9.10-P2 / 9.9.10-S3 / 9.10.5-P2 / 9.10.5-S3 / 9.11.1-P2 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of BIND.");

  script_set_attribute(attribute:"synopsis", value:
"The remote name server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the instance of ISC BIND 9
running on the remote name server is 9.9.x prior to 9.9.10-P2 or
9.9.10-S3, 9.10.x prior to 9.10.5-P2 or 9.10.5-S3, or 9.11.x prior to
9.11.1-P2. It is, therefore, affected by multiple vulnerabilities :

  - A flaw exists in the Transaction Signature (TSIG)
    authentication implementation when handling received
    messages. An unauthenticated, remote attacker can
    exploit this, via a specially crafted request packet, to
    circumvent TSIG authentication of AXFR requests. Note
    that to exploit this issue the attacker must be able to
    send and receive messages to an authoritative DNS
    server and have knowledge of a valid TSIG key name.
    (CVE-2017-3142)

  - A flaw exists in the Transaction Signature (TSIG)
    authentication implementation when handling messages.
    An unauthenticated, remote attacker can exploit this to
    manipulate BIND into accepting an unauthorized dynamic
    update. Note that to exploit this issue the attacker
    must be able to send and receive messages to an
    authoritative DNS server and have knowledge of a valid
    TSIG key name for the zone and service being targeted.
    (CVE-2017-3143)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/article/AA-01503");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/article/AA-01504");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/article/AA-01505");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/article/AA-01506");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/article/AA-01507");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/article/AA-01508");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/article/AA-01509");
  script_set_attribute(attribute:"solution", value:
"Upgrade to ISC BIND version 9.9.10-P2 / 9.9.10-S3 / 9.10.5-P2 /
9.10.5-S3 / 9.11.1-P2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-3143");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/06/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/05");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:isc:bind");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"DNS");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("bind_version.nasl");
  script_require_keys("bind/version", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

ver = get_kb_item_or_exit("bind/version");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

if (
  # 9.9.0 - 9.9.9
  ver =~ "^9\.9\.[0-9]($|[^0-9])" ||
  # 9.9.10 <= 9.9.10-P2/9.9.10-S3
  ver =~ "^9\.9\.10((([ab]|beta|rc)[0-9]*)|(-P[0-1])|(-S[0-2]))?$" ||

  # 9.10.0 - 9.10.4
  ver =~ "^9\.10\.[0-4]($|[^0-9])" ||
  # 9.10.5 <= 9.10.5-P2/9.10.5-S3
  ver =~ "^9\.10\.5((([ab]|beta|rc)[0-9]*)|(-P[0-1])|(-S[0-2]))?$" ||

  # 9.11.0
  ver =~ "^9\.11\.0($|[^0-9])" ||
  # 9.11.1.x <= 9.11.1-P2
  ver =~ "^9\.11\.1((([ab]|beta|rc)[0-9]*)|(-P[0-1]))?$"
)
{
  items = make_array(
    "Installed version", ver,
    "Fixed version", "9.9.10-P2 / 9.9.10-S3 / 9.10.5-P2 / 9.10.5-S3 / 9.11.1-P2"
  );
  order = make_list("Installed version", "Fixed version");
  security_report_v4(
    severity:SECURITY_WARNING,
    port:53,
    proto:"udp",
    extra:report_items_str(
      report_items:items,
      ordered_fields:order
    )
  );
}
else audit(AUDIT_LISTEN_NOT_VULN, "BIND", 53, ver, "UDP");