CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;"
First published: Sun Mar 12 2017(Updated: )
A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Servers are at risk if they are configured to use DNS64 and if the option "break-dnssec yes;" is in use. External References: <a href="https://kb.isc.org/article/AA-01465">https://kb.isc.org/article/AA-01465</a> Mitigation: Servers which have configurations which require DNS64 and "break-dnssec yes;" should upgrade. Servers which are not using these features in conjunction are not at risk from this defect.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.17-1 | |
| redhat/bind | <9.9.9 | 9.9.9 |
| redhat/bind | <9.10.4 | 9.10.4 |
| redhat/bind | <9.11.0 | 9.11.0 |
| ISC BIND | >=9.8.0<=9.8.8 | |
| ISC BIND | >=9.9.0<=9.9.9 | |
| ISC BIND | >=9.10.0<=9.10.4 | |
| ISC BIND | =9.8.0-p1 | |
| ISC BIND | =9.9.0-p1 | |
| ISC BIND | =9.9.0-p2 | |
| ISC BIND | =9.9.0-p3 | |
| ISC BIND | =9.9.0-p4 | |
| ISC BIND | =9.9.0-p5 | |
| ISC BIND | =9.9.0-p6 | |
| ISC BIND | =9.9.3 | |
| ISC BIND | =9.9.3-s1 | |
| ISC BIND | =9.9.10-beta1 | |
| ISC BIND | =9.9.10-rc1 | |
| ISC BIND | =9.10.4-p1 | |
| ISC BIND | =9.10.4-p2 | |
| ISC BIND | =9.10.4-p3 | |
| ISC BIND | =9.10.4-p4 | |
| ISC BIND | =9.10.4-p5 | |
| ISC BIND | =9.10.4-p6 | |
| ISC BIND | =9.10.5-b1 | |
| ISC BIND | =9.10.5-rc1 | |
| ISC BIND | =9.11.0 | |
| ISC BIND | =9.11.0-p1 | |
| ISC BIND | =9.11.0-p2 | |
| ISC BIND | =9.11.0-p3 | |
| ISC BIND | =9.11.1-beta1 | |
| ISC BIND | =9.11.1-rc1 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Server Aus | =7.3 | |
| Redhat Enterprise Linux Server Aus | =7.4 | |
| Redhat Enterprise Linux Server Aus | =7.6 | |
| Redhat Enterprise Linux Server Eus | =7.3 | |
| Redhat Enterprise Linux Server Eus | =7.4 | |
| Redhat Enterprise Linux Server Eus | =7.5 | |
| Redhat Enterprise Linux Server Eus | =7.6 | |
| Redhat Enterprise Linux Server Tus | =7.3 | |
| Redhat Enterprise Linux Server Tus | =7.6 | |
| Redhat Enterprise Linux Workstation | =6.0 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| Netapp Data Ontap Edge | ||
| Netapp Element Software | ||
| NetApp OnCommand Balance | ||
| Debian Debian Linux | =8.0 |
Remedy
Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads. BIND 9 version 9.9.9-P8 BIND 9 version 9.10.4-P8 BIND 9 version 9.11.0-P5 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9 version 9.9.9-S10 New maintenance releases of BIND are also scheduled which contain the fix for this vulnerability. In addition to the security releases listed above, fixes for this vulnerability are also included in these release candidate versions: BIND 9 version 9.9.10rc3 BIND 9 version 9.10.5rc3 BIND 9 version 9.11.1rc3
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2017-3136
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3136
- https://kb.isc.org/article/AA-01465
- https://security-tracker.debian.org/tracker/CVE-2017-3139
- https://access.redhat.com/errata/RHSA-2017:1202
- https://security-tracker.debian.org/tracker/CVE-2017-3137
- https://security-tracker.debian.org/tracker/CVE-2017-3138
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860224
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
- http://www.securityfocus.com/bid/97653
- http://www.securitytracker.com/id/1038259
- https://access.redhat.com/errata/RHSA-2017:1095
- https://access.redhat.com/errata/RHSA-2017:1105
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03747en_us
- https://kb.isc.org/docs/aa-01465
- https://security.gentoo.org/glsa/201708-01
- https://security.netapp.com/advisory/ntap-20180802-0002/
- https://www.debian.org/security/2017/dsa-3854
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1441916
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1441917
- https://bugzilla.redhat.com/show_bug.cgi?id=1441125
- https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=764240ca07ab1b796226d5402ccd9fbfa77ec32a
- collector/debian-bugs
- alias/CVE-2017-3136
- collector/security-tracker-debian
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/references
- agent/weakness
- agent/author
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/title
- agent/remedy
- agent/first-publish-date
- agent/tags
- agent/event
- package-manager/debian
- package-manager/redhat
- vendor/isc
- canonical/isc bind
- version/isc bind/9.8.0
- version/isc bind/9.8.8
- version/isc bind/9.9.0
- version/isc bind/9.9.9
- version/isc bind/9.10.0
- version/isc bind/9.10.4
- version/isc bind/9.8.0-p1
- version/isc bind/9.9.0-p1
- version/isc bind/9.9.0-p2
- version/isc bind/9.9.0-p3
- version/isc bind/9.9.0-p4
- version/isc bind/9.9.0-p5
- version/isc bind/9.9.0-p6
- version/isc bind/9.9.3
- version/isc bind/9.9.3-s1
- version/isc bind/9.9.10-beta1
- version/isc bind/9.9.10-rc1
- version/isc bind/9.10.4-p1
- version/isc bind/9.10.4-p2
- version/isc bind/9.10.4-p3
- version/isc bind/9.10.4-p4
- version/isc bind/9.10.4-p5
- version/isc bind/9.10.4-p6
- version/isc bind/9.10.5-b1
- version/isc bind/9.10.5-rc1
- version/isc bind/9.11.0
- version/isc bind/9.11.0-p1
- version/isc bind/9.11.0-p2
- version/isc bind/9.11.0-p3
- version/isc bind/9.11.1-beta1
- version/isc bind/9.11.1-rc1
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.3
- version/redhat enterprise linux server aus/7.4
- version/redhat enterprise linux server aus/7.6
- canonical/redhat enterprise linux server eus
- version/redhat enterprise linux server eus/7.3
- version/redhat enterprise linux server eus/7.4
- version/redhat enterprise linux server eus/7.5
- version/redhat enterprise linux server eus/7.6
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.3
- version/redhat enterprise linux server tus/7.6
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux workstation/7.0
- vendor/netapp
- canonical/netapp data ontap edge
- canonical/netapp element software
- canonical/netapp oncommand balance
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0