CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel
First published: Sun Mar 12 2017(Updated: )
named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.17-1 | |
| ISC BIND | =9.9.9 | |
| ISC BIND | =9.9.9-p1 | |
| ISC BIND | =9.9.9-p2 | |
| ISC BIND | =9.9.9-p3 | |
| ISC BIND | =9.9.9-p4 | |
| ISC BIND | =9.9.9-p5 | |
| ISC BIND | =9.9.9-p6 | |
| ISC BIND | =9.9.9-p7 | |
| ISC BIND | =9.9.9-s1 | |
| ISC BIND | =9.9.9-s7 | |
| ISC BIND | =9.9.10-beta1 | |
| ISC BIND | =9.9.10-rc1 | |
| ISC BIND | =9.9.10-rc2 | |
| ISC BIND | =9.10.4 | |
| ISC BIND | =9.10.4-p1 | |
| ISC BIND | =9.10.4-p2 | |
| ISC BIND | =9.10.4-p3 | |
| ISC BIND | =9.10.4-p4 | |
| ISC BIND | =9.10.4-p5 | |
| ISC BIND | =9.10.4-p6 | |
| ISC BIND | =9.10.4-p7 | |
| ISC BIND | =9.10.5-b1 | |
| ISC BIND | =9.10.5-rc1 | |
| ISC BIND | =9.10.5-rc2 | |
| ISC BIND | =9.11.0 | |
| ISC BIND | =9.11.0-p1 | |
| ISC BIND | =9.11.0-p2 | |
| ISC BIND | =9.11.0-p3 | |
| ISC BIND | =9.11.0-p4 | |
| ISC BIND | =9.11.1-b1 | |
| ISC BIND | =9.11.1-rc1 | |
| ISC BIND | =9.11.1-rc2 | |
| Netapp Data Ontap Edge | ||
| Netapp Element Software | ||
| NetApp OnCommand Balance | ||
| Debian Debian Linux | =8.0 |
Remedy
Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads. BIND 9 version 9.9.9-P8 BIND 9 version 9.10.4-P8 BIND 9 version 9.11.0-P5 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9 version 9.9.9-S10 New maintenance releases of BIND are also scheduled which contain the fix for this vulnerability. In addition to the security releases listed above, fixes for this vulnerability are also included in these release candidate versions: BIND 9 version 9.9.10rc3 BIND 9 version 9.10.5rc3 BIND 9 version 9.11.1rc3
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2017-3138
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3138
- https://kb.isc.org/article/AA-01471
- https://security-tracker.debian.org/tracker/CVE-2017-3139
- https://access.redhat.com/errata/RHSA-2017:1202
- https://security-tracker.debian.org/tracker/CVE-2017-3136
- https://security-tracker.debian.org/tracker/CVE-2017-3137
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860226
- https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=a636604b20cc0aaabc8edbb7595f7c1c820b7610
- http://www.securityfocus.com/bid/97657
- http://www.securitytracker.com/id/1038260
- https://kb.isc.org/docs/aa-01471
- https://security.gentoo.org/glsa/201708-01
- https://security.netapp.com/advisory/ntap-20180802-0002/
- https://www.debian.org/security/2017/dsa-3854
- collector/debian-bugs
- alias/CVE-2017-3138
- collector/security-tracker-debian
- agent/type
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/references
- agent/author
- agent/weakness
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/title
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/event
- package-manager/debian
- vendor/isc
- canonical/isc bind
- version/isc bind/9.9.9
- version/isc bind/9.9.9-p1
- version/isc bind/9.9.9-p2
- version/isc bind/9.9.9-p3
- version/isc bind/9.9.9-p4
- version/isc bind/9.9.9-p5
- version/isc bind/9.9.9-p6
- version/isc bind/9.9.9-p7
- version/isc bind/9.9.9-s1
- version/isc bind/9.9.9-s7
- version/isc bind/9.9.10-beta1
- version/isc bind/9.9.10-rc1
- version/isc bind/9.9.10-rc2
- version/isc bind/9.10.4
- version/isc bind/9.10.4-p1
- version/isc bind/9.10.4-p2
- version/isc bind/9.10.4-p3
- version/isc bind/9.10.4-p4
- version/isc bind/9.10.4-p5
- version/isc bind/9.10.4-p6
- version/isc bind/9.10.4-p7
- version/isc bind/9.10.5-b1
- version/isc bind/9.10.5-rc1
- version/isc bind/9.10.5-rc2
- version/isc bind/9.11.0
- version/isc bind/9.11.0-p1
- version/isc bind/9.11.0-p2
- version/isc bind/9.11.0-p3
- version/isc bind/9.11.0-p4
- version/isc bind/9.11.1-b1
- version/isc bind/9.11.1-rc1
- version/isc bind/9.11.1-rc2
- vendor/netapp
- canonical/netapp data ontap edge
- canonical/netapp element software
- canonical/netapp oncommand balance
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0