CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;"
First published: Sun Mar 12 2017(Updated: )
A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Servers are at risk if they are configured to use DNS64 and if the option "break-dnssec yes;" is in use. External References: <a href="https://kb.isc.org/article/AA-01465">https://kb.isc.org/article/AA-01465</a> Mitigation: Servers which have configurations which require DNS64 and "break-dnssec yes;" should upgrade. Servers which are not using these features in conjunction are not at risk from this defect.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.17-1 | |
| redhat/bind | <9.9.9 | 9.9.9 |
| redhat/bind | <9.10.4 | 9.10.4 |
| redhat/bind | <9.11.0 | 9.11.0 |
| ISC BIND 9 | >=9.8.0<=9.8.8 | |
| ISC BIND 9 | >=9.9.0<=9.9.9 | |
| ISC BIND 9 | >=9.10.0<=9.10.4 | |
| ISC BIND 9 | =9.8.0-p1 | |
| ISC BIND 9 | =9.9.0-p1 | |
| ISC BIND 9 | =9.9.0-p2 | |
| ISC BIND 9 | =9.9.0-p3 | |
| ISC BIND 9 | =9.9.0-p4 | |
| ISC BIND 9 | =9.9.0-p5 | |
| ISC BIND 9 | =9.9.0-p6 | |
| ISC BIND 9 | =9.9.3 | |
| ISC BIND 9 | =9.9.3-s1 | |
| ISC BIND 9 | =9.9.10-beta1 | |
| ISC BIND 9 | =9.9.10-rc1 | |
| ISC BIND 9 | =9.10.4-p1 | |
| ISC BIND 9 | =9.10.4-p2 | |
| ISC BIND 9 | =9.10.4-p3 | |
| ISC BIND 9 | =9.10.4-p4 | |
| ISC BIND 9 | =9.10.4-p5 | |
| ISC BIND 9 | =9.10.4-p6 | |
| ISC BIND 9 | =9.10.5-b1 | |
| ISC BIND 9 | =9.10.5-rc1 | |
| ISC BIND 9 | =9.11.0 | |
| ISC BIND 9 | =9.11.0-p1 | |
| ISC BIND 9 | =9.11.0-p2 | |
| ISC BIND 9 | =9.11.0-p3 | |
| ISC BIND 9 | =9.11.1-beta1 | |
| ISC BIND 9 | =9.11.1-rc1 | |
| Red Hat Enterprise Linux Desktop | =6.0 | |
| Red Hat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux Server | =6.0 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Server | =7.3 | |
| Red Hat Enterprise Linux Server | =7.4 | |
| Red Hat Enterprise Linux Server | =7.6 | |
| Red Hat Enterprise Linux Server | =7.3 | |
| Red Hat Enterprise Linux Server | =7.4 | |
| Red Hat Enterprise Linux Server | =7.5 | |
| Red Hat Enterprise Linux Server | =7.6 | |
| Red Hat Enterprise Linux Server | =7.3 | |
| Red Hat Enterprise Linux Server | =7.6 | |
| Red Hat Enterprise Linux Workstation | =6.0 | |
| Red Hat Enterprise Linux Workstation | =7.0 | |
| NetApp Data ONTAP | ||
| NetApp Element OS | ||
| NetApp OnCommand Balance | ||
| Debian | =8.0 |
Remedy
Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads. BIND 9 version 9.9.9-P8 BIND 9 version 9.10.4-P8 BIND 9 version 9.11.0-P5 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9 version 9.9.9-S10 New maintenance releases of BIND are also scheduled which contain the fix for this vulnerability. In addition to the security releases listed above, fixes for this vulnerability are also included in these release candidate versions: BIND 9 version 9.9.10rc3 BIND 9 version 9.10.5rc3 BIND 9 version 9.11.1rc3
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2017-3136
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3136
- https://kb.isc.org/article/AA-01465
- https://security-tracker.debian.org/tracker/CVE-2017-3139
- https://access.redhat.com/errata/RHSA-2017:1202
- https://security-tracker.debian.org/tracker/CVE-2017-3137
- https://security-tracker.debian.org/tracker/CVE-2017-3138
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860224
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
- http://www.securityfocus.com/bid/97653
- http://www.securitytracker.com/id/1038259
- https://access.redhat.com/errata/RHSA-2017:1095
- https://access.redhat.com/errata/RHSA-2017:1105
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03747en_us
- https://kb.isc.org/docs/aa-01465
- https://security.gentoo.org/glsa/201708-01
- https://security.netapp.com/advisory/ntap-20180802-0002/
- https://www.debian.org/security/2017/dsa-3854
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1441916
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1441917
- https://bugzilla.redhat.com/show_bug.cgi?id=1441125
- https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=764240ca07ab1b796226d5402ccd9fbfa77ec32a
Frequently Asked Questions
What is the severity of CVE-2017-3136?
CVE-2017-3136 is classified as a critical denial-of-service vulnerability that can cause a server using DNS64 to crash.
How do I fix CVE-2017-3136?
To fix CVE-2017-3136, update your BIND software to a version that has patched the vulnerability, such as 1:9.11.5.P4+dfsg-5.1+deb10u7 or higher.
Which versions of BIND are affected by CVE-2017-3136?
CVE-2017-3136 affects various versions of BIND including, but not limited to, versions prior to 9.11.5.P4, 9.10.4, and 9.9.9.
What types of attacks can CVE-2017-3136 be exploited for?
CVE-2017-3136 can be exploited to carry out denial-of-service attacks against servers using the DNS64 feature, causing them to terminate unexpectedly.
Are there any specific environments where CVE-2017-3136 is a concern?
CVE-2017-3136 is particularly concerning for servers configured to use the DNS64 feature, commonly found in environments supporting IPv6.
- collector/debian-bugs
- alias/CVE-2017-3136
- collector/security-tracker-debian
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/references
- agent/weakness
- agent/author
- agent/description
- agent/severity
- agent/title
- agent/remedy
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- package-manager/redhat
- vendor/isc
- canonical/isc bind 9
- version/isc bind 9/9.8.0
- version/isc bind 9/9.8.8
- version/isc bind 9/9.9.0
- version/isc bind 9/9.9.9
- version/isc bind 9/9.10.0
- version/isc bind 9/9.10.4
- version/isc bind 9/9.8.0-p1
- version/isc bind 9/9.9.0-p1
- version/isc bind 9/9.9.0-p2
- version/isc bind 9/9.9.0-p3
- version/isc bind 9/9.9.0-p4
- version/isc bind 9/9.9.0-p5
- version/isc bind 9/9.9.0-p6
- version/isc bind 9/9.9.3
- version/isc bind 9/9.9.3-s1
- version/isc bind 9/9.9.10-beta1
- version/isc bind 9/9.9.10-rc1
- version/isc bind 9/9.10.4-p1
- version/isc bind 9/9.10.4-p2
- version/isc bind 9/9.10.4-p3
- version/isc bind 9/9.10.4-p4
- version/isc bind 9/9.10.4-p5
- version/isc bind 9/9.10.4-p6
- version/isc bind 9/9.10.5-b1
- version/isc bind 9/9.10.5-rc1
- version/isc bind 9/9.11.0
- version/isc bind 9/9.11.0-p1
- version/isc bind 9/9.11.0-p2
- version/isc bind 9/9.11.0-p3
- version/isc bind 9/9.11.1-beta1
- version/isc bind 9/9.11.1-rc1
- vendor/redhat
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/6.0
- version/red hat enterprise linux desktop/7.0
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/6.0
- version/red hat enterprise linux server/7.0
- version/red hat enterprise linux server/7.3
- version/red hat enterprise linux server/7.4
- version/red hat enterprise linux server/7.6
- version/red hat enterprise linux server/7.5
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/6.0
- version/red hat enterprise linux workstation/7.0
- vendor/netapp
- canonical/netapp data ontap
- canonical/netapp element os
- canonical/netapp oncommand balance
- vendor/debian
- canonical/debian
- version/debian/8.0