CVE-2017-3138

LOW

Description

named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9.

References

http://www.securityfocus.com/bid/97657

http://www.securitytracker.com/id/1038260

https://kb.isc.org/docs/aa-01471

https://security.gentoo.org/glsa/201708-01

https://security.netapp.com/advisory/ntap-20180802-0002/

https://www.debian.org/security/2017/dsa-3854

Details

Source: MITRE

Published: 2019-01-16

Updated: 2019-10-09

Type: CWE-617

Risk Information

CVSS v2.0

Base Score: 3.5

Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 6.8

Severity: LOW

CVSS v3.0

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 1.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:isc:bind:9.9.9:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.9.9:p1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.9.9:p2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.9.9:p3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.9.9:p4:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.9.9:p5:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.9.9:p6:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.9.9:p7:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.9.9:s1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.9.9:s7:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.9.10:beta1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.9.10:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.9.10:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.10.4:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.10.4:p1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.10.4:p2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.10.4:p3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.10.4:p4:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.10.4:p5:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.10.4:p6:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.10.4:p7:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.10.5:b1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.10.5:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.10.5:rc2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.11.0:*:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.11.0:p1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.11.0:p2:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.11.0:p3:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.11.0:p4:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.11.1:b1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.11.1:rc1:*:*:*:*:*:*

cpe:2.3:a:isc:bind:9.11.1:rc2:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:netapp:data_ontap_edge:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Tenable Plugins

View all (17 total)

IDNameProductFamilySeverity
102531GLSA-201708-01 : BIND: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
101751Fedora 26 : 32:bind (2017-f9f909a7b7)NessusFedora Local Security Checks
medium
101692Fedora 26 : bind99 (2017-a354efc764)NessusFedora Local Security Checks
medium
100477Debian DLA-957-1 : bind9 security updateNessusDebian Local Security Checks
medium
100167Debian DSA-3854-1 : bind9 - security updateNessusDebian Local Security Checks
medium
100014Fedora 24 : bind99 (2017-edce28f24b)NessusFedora Local Security Checks
medium
99605Fedora 24 : 32:bind (2017-0a876b0ba5)NessusFedora Local Security Checks
medium
99499openSUSE Security Update : bind (openSUSE-2017-491)NessusSuSE Local Security Checks
medium
99495Fedora 25 : 32:bind (2017-ee4b0f53cb)NessusFedora Local Security Checks
medium
99488Fedora 25 : bind99 (2017-44e494db1e)NessusFedora Local Security Checks
medium
99478ISC BIND 9 < 9.9.9-P8 / 9.9.9-S10 / 9.9.10rc3 / 9.10.4-P8 / 9.10.5rc3 / 9.11.0-P5 / 9.11.1r3 Multiple VunlerabilitiesNessusDNS
medium
99435Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : bind9 vulnerabilities (USN-3259-1)NessusUbuntu Local Security Checks
medium
99378Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : bind (SSA:2017-103-01)NessusSlackware Local Security Checks
medium
99358SUSE SLES11 Security Update : bind (SUSE-SU-2017:1000-1)NessusSuSE Local Security Checks
medium
99357SUSE SLES12 Security Update : bind (SUSE-SU-2017:0999-1)NessusSuSE Local Security Checks
medium
99356SUSE SLED12 / SLES12 Security Update : bind (SUSE-SU-2017:0998-1)NessusSuSE Local Security Checks
medium
99325FreeBSD : BIND -- multiple vulnerabilities (c6861494-1ffb-11e7-934d-d05099c0ae8c)NessusFreeBSD Local Security Checks
medium