CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel
First published: Sun Mar 12 2017(Updated: )
named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.17-1 | |
| ISC BIND 9 | =9.9.9 | |
| ISC BIND 9 | =9.9.9-p1 | |
| ISC BIND 9 | =9.9.9-p2 | |
| ISC BIND 9 | =9.9.9-p3 | |
| ISC BIND 9 | =9.9.9-p4 | |
| ISC BIND 9 | =9.9.9-p5 | |
| ISC BIND 9 | =9.9.9-p6 | |
| ISC BIND 9 | =9.9.9-p7 | |
| ISC BIND 9 | =9.9.9-s1 | |
| ISC BIND 9 | =9.9.9-s7 | |
| ISC BIND 9 | =9.9.10-beta1 | |
| ISC BIND 9 | =9.9.10-rc1 | |
| ISC BIND 9 | =9.9.10-rc2 | |
| ISC BIND 9 | =9.10.4 | |
| ISC BIND 9 | =9.10.4-p1 | |
| ISC BIND 9 | =9.10.4-p2 | |
| ISC BIND 9 | =9.10.4-p3 | |
| ISC BIND 9 | =9.10.4-p4 | |
| ISC BIND 9 | =9.10.4-p5 | |
| ISC BIND 9 | =9.10.4-p6 | |
| ISC BIND 9 | =9.10.4-p7 | |
| ISC BIND 9 | =9.10.5-b1 | |
| ISC BIND 9 | =9.10.5-rc1 | |
| ISC BIND 9 | =9.10.5-rc2 | |
| ISC BIND 9 | =9.11.0 | |
| ISC BIND 9 | =9.11.0-p1 | |
| ISC BIND 9 | =9.11.0-p2 | |
| ISC BIND 9 | =9.11.0-p3 | |
| ISC BIND 9 | =9.11.0-p4 | |
| ISC BIND 9 | =9.11.1-b1 | |
| ISC BIND 9 | =9.11.1-rc1 | |
| ISC BIND 9 | =9.11.1-rc2 | |
| NetApp Data ONTAP | ||
| NetApp Element OS | ||
| NetApp OnCommand Balance | ||
| Debian | =8.0 |
Remedy
Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads. BIND 9 version 9.9.9-P8 BIND 9 version 9.10.4-P8 BIND 9 version 9.11.0-P5 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9 version 9.9.9-S10 New maintenance releases of BIND are also scheduled which contain the fix for this vulnerability. In addition to the security releases listed above, fixes for this vulnerability are also included in these release candidate versions: BIND 9 version 9.9.10rc3 BIND 9 version 9.10.5rc3 BIND 9 version 9.11.1rc3
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2017-3138
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3138
- https://kb.isc.org/article/AA-01471
- https://security-tracker.debian.org/tracker/CVE-2017-3139
- https://access.redhat.com/errata/RHSA-2017:1202
- https://security-tracker.debian.org/tracker/CVE-2017-3136
- https://security-tracker.debian.org/tracker/CVE-2017-3137
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860226
- https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=a636604b20cc0aaabc8edbb7595f7c1c820b7610
- http://www.securityfocus.com/bid/97657
- http://www.securitytracker.com/id/1038260
- https://kb.isc.org/docs/aa-01471
- https://security.gentoo.org/glsa/201708-01
- https://security.netapp.com/advisory/ntap-20180802-0002/
- https://www.debian.org/security/2017/dsa-3854
Frequently Asked Questions
What is the severity of CVE-2017-3138?
CVE-2017-3138 is considered a medium severity vulnerability affecting BIND servers.
How do I fix CVE-2017-3138?
To fix CVE-2017-3138, you should update your BIND software to the latest patched version.
Which versions of BIND are affected by CVE-2017-3138?
CVE-2017-3138 affects several versions of BIND, including 9.9.9 and others listed in the vulnerability report.
Can CVE-2017-3138 be exploited remotely?
Yes, CVE-2017-3138 can be exploited remotely under certain conditions.
What types of systems are impacted by CVE-2017-3138?
CVE-2017-3138 impacts systems running affected versions of the BIND DNS software.
- collector/debian-bugs
- alias/CVE-2017-3138
- collector/security-tracker-debian
- agent/type
- agent/references
- agent/author
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/title
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/isc
- canonical/isc bind 9
- version/isc bind 9/9.9.9
- version/isc bind 9/9.9.9-p1
- version/isc bind 9/9.9.9-p2
- version/isc bind 9/9.9.9-p3
- version/isc bind 9/9.9.9-p4
- version/isc bind 9/9.9.9-p5
- version/isc bind 9/9.9.9-p6
- version/isc bind 9/9.9.9-p7
- version/isc bind 9/9.9.9-s1
- version/isc bind 9/9.9.9-s7
- version/isc bind 9/9.9.10-beta1
- version/isc bind 9/9.9.10-rc1
- version/isc bind 9/9.9.10-rc2
- version/isc bind 9/9.10.4
- version/isc bind 9/9.10.4-p1
- version/isc bind 9/9.10.4-p2
- version/isc bind 9/9.10.4-p3
- version/isc bind 9/9.10.4-p4
- version/isc bind 9/9.10.4-p5
- version/isc bind 9/9.10.4-p6
- version/isc bind 9/9.10.4-p7
- version/isc bind 9/9.10.5-b1
- version/isc bind 9/9.10.5-rc1
- version/isc bind 9/9.10.5-rc2
- version/isc bind 9/9.11.0
- version/isc bind 9/9.11.0-p1
- version/isc bind 9/9.11.0-p2
- version/isc bind 9/9.11.0-p3
- version/isc bind 9/9.11.0-p4
- version/isc bind 9/9.11.1-b1
- version/isc bind 9/9.11.1-rc1
- version/isc bind 9/9.11.1-rc2
- vendor/netapp
- canonical/netapp data ontap
- canonical/netapp element os
- canonical/netapp oncommand balance
- vendor/debian
- canonical/debian
- version/debian/8.0