Linux/Unix 主机中安装的一个或多个程序包受到一个漏洞影响，而供应商没有提供补丁程序。

  - BIND 未正确排序上游递归提取上下文中的清理操作，在某些情况下导致可触发 named 中断言失败和崩溃的释放后使用错误。影响 BIND 9.0.0 至 9.8.x、 9.9.0 至 9.9.11、 9.10.0 至 9.10.6、 9.11.0 至 9.11.2、9.9.3-S1 至 9.9.11-S1、9.10.5-S1 至 9.10.6-S1、 9.12.0a1 至 9.12.0rc1。 (CVE-2017-3145)

请注意，Nessus 依赖供应商报告的程序包是否存在进行判断。

Cygate AB 的 Jayachandran Palanisamy 报告 DNS 服务器实现 BIND 未正确排序清理操作，在某些情况下会导致释放后使用错误，在 named 中触发断言失败和崩溃。针对 Debian 7“Wheezy”，这些问题已在版本 1:9.8.4.dfsg.P1-6+nmu2+deb7u19 中修复。我们建议您升级 bind9 程序包。注意：Tenable Network Security 已直接从 DLA 安全公告中提取上述描述块。Tenable 已尝试在不引入其他问题的情况下，尽可能进行自动整理和排版。

解析器中不正确的提取清理顺序可能导致 named 崩溃：在 BIND 内部处理上游递归提取环境中清除操作的方式中发现可导致拒绝服务的释放后使用缺陷。远程攻击者可利用此缺陷，通过特制的 DNS 请求，使 named 作为 DNSSEC 验证解析器意外退出，并出现断言失败。(CVE-2017-3145)

bind 更新现可用于 Red Hat Enterprise Linux 6。Red Hat 产品安全团队将此更新评级为具有重要安全影响。可从“参考”部分中的 CVE 链接获取通用漏洞评分系统 (CVSS) 基本分数，其针对每个漏洞给出了详细的严重性等级。Berkeley Internet Name Domain (BIND) 是域名系统 (DNS) 协议的一种实现。BIND 包含一个 DNS 服务器 (named)；一个解析器库（与 DNS 接合时供应用程序使用的例程）；以及用于验证 DNS 服务器是否正常运行的工具。安全修复：* 在 BIND 内部处理上游递归提取环境中清除操作的方式中发现可导致拒绝服务的释放后使用缺陷。远程攻击者可利用此缺陷，通过特制的 DNS 请求，使 named 作为 DNSSEC 验证解析器意外退出，并出现断言失败。(CVE-2017-3145) Red Hat 在此感谢 ISC 报告此问题。上游感谢原始报告者 Jayachandran Palanisamy (Cygate AB)。

bind 更新现可用于 Red Hat Enterprise Linux 7。Red Hat 产品安全团队将此更新评级为具有重要安全影响。可从“参考”部分中的 CVE 链接获取通用漏洞评分系统 (CVSS) 基本分数，其针对每个漏洞给出了详细的严重性等级。Berkeley Internet Name Domain (BIND) 是域名系统 (DNS) 协议的一种实现。BIND 包含一个 DNS 服务器 (named)；一个解析器库（与 DNS 接合时供应用程序使用的例程）；以及用于验证 DNS 服务器是否正常运行的工具。安全修复：* 在 BIND 内部处理上游递归提取环境中清除操作的方式中发现可导致拒绝服务的释放后使用缺陷。远程攻击者可利用此缺陷，通过特制的 DNS 请求，使 named 作为 DNSSEC 验证解析器意外退出，并出现断言失败。(CVE-2017-3145) Red Hat 在此感谢 ISC 报告此问题。上游感谢原始报告者 Jayachandran Palanisamy (Cygate AB)。

Jayachandran Palanisamy of Cygate AB reported that BIND, a DNS server implementation, was improperly sequencing cleanup operations, leading in some cases to a use-after-free error, triggering an assertion failure and crash in named.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2018:0102 advisory.

    The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols.
    BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing     with DNS); and tools for verifying that the DNS server is operating correctly.

    Security Fix(es):

    * A use-after-free flaw leading to denial of service was found in the way BIND internally handled cleanup     operations on upstream recursion fetch contexts. A remote attacker could potentially use this flaw to make     named, acting as a DNSSEC validating resolver, exit unexpectedly with an assertion failure via a specially     crafted DNS request. (CVE-2017-3145)

    Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Jayachandran Palanisamy     (Cygate AB) as the original reporter.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Fix (CVE-2017-3145)

According to the version of the bind packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - A use-after-free flaw leading to denial of service was     found in the way BIND internally handled cleanup     operations on upstream recursion fetch contexts. A     remote attacker could potentially use this flaw to make     named, acting as a DNSSEC validating resolver, exit     unexpectedly with an assertion failure via a specially     crafted DNS request. (CVE-2017-3145)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named.
(CVE-2017-3145)

Impact

BIG-IP

A remote attacker can use this flaw to make named , acting as a Domain Name System Security Extensions (DNSSEC) validating resolver, exit unexpectedly with an assertion failure by way of a specially crafted DNS request.

This vulnerability affects BIND only when configured as a recursive resolver with DNSSEC validation enabled. That mode of operation is not present in any default configuration but can be enabled.

ARX, Enterprise Manager, BIG-IQ, F5 iWorkflow, LineRate, and Traffix

There is no impact; these F5 products are not affected by this vulnerability.

The remote NewStart CGSL host, running version MAIN 4.05, has bind packages installed that are affected by a vulnerability:

  - A use-after-free flaw leading to denial of service was     found in the way BIND internally handled cleanup     operations on upstream recursion fetch contexts. A     remote attacker could potentially use this flaw to make     named, acting as a DNSSEC validating resolver, exit     unexpectedly with an assertion failure via a specially     crafted DNS request. (CVE-2017-3145)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version MAIN 5.04, has bind packages installed that are affected by a vulnerability:

  - A use-after-free flaw leading to denial of service was     found in the way BIND internally handled cleanup     operations on upstream recursion fetch contexts. A     remote attacker could potentially use this flaw to make     named, acting as a DNSSEC validating resolver, exit     unexpectedly with an assertion failure via a specially     crafted DNS request. (CVE-2017-3145)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the bind packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A denial of service flaw was found in the way BIND     constructed a response to a query that met certain     criteria. A remote attacker could use this flaw to make     named exit unexpectedly with an assertion failure via a     specially crafted DNS request packet.(CVE-2016-2776)

  - A denial of service flaw was found in the way BIND     processed certain control channel input. A remote     attacker able to send a malformed packet to the control     channel could use this flaw to cause named to     crash.(CVE-2016-1285)

  - A flaw was found in the way BIND performed DNSSEC     validation. An attacker able to make BIND (functioning     as a DNS resolver with DNSSEC validation enabled)     resolve a name in an attacker-controlled domain could     cause named to exit unexpectedly with an assertion     failure.(CVE-2015-4620)

  - A flaw was found in the way BIND handled requests for     TKEY DNS resource records. A remote attacker could use     this flaw to make named (functioning as an     authoritative DNS server or a DNS resolver) exit     unexpectedly with an assertion failure via a specially     crafted DNS request packet.(CVE-2015-5477)

  - A denial of service flaw was found in the way BIND     handled queries for NSEC3-signed zones. A remote     attacker could use this flaw against an authoritative     name server that served NCES3-signed zones by sending a     specially crafted query, which, when processed, would     cause named to crash.(CVE-2014-0591)

  - A denial of service flaw was found in the way BIND     parsed certain malformed DNSSEC keys. A remote attacker     could use this flaw to send a specially crafted DNS     query (for example, a query requiring a response from a     zone containing a deliberately malformed key) that     would cause named functioning as a validating resolver     to crash.(CVE-2015-5722)

  - It was found that the lightweight resolver protocol     implementation in BIND could enter an infinite     recursion and crash when asked to resolve a query name     which, when combined with a search list entry, exceeds     the maximum allowable length. A remote attacker could     use this flaw to crash lwresd or named when using the     'lwres' statement in named.conf.(CVE-2016-2775)

  - A denial of service flaw was found in the way BIND     processed certain records with malformed class     attributes. A remote attacker could use this flaw to     send a query to request a cached record with a     malformed class attribute that would cause named     functioning as an authoritative or recursive server to     crash. Note: This issue affects authoritative servers     as well as recursive servers, however authoritative     servers are at limited risk if they perform     authentication when making recursive queries to resolve     addresses for servers listed in NS     RRSETs.(CVE-2015-8000)

  - A denial of service flaw was found in the way BIND     handled responses containing a DNAME answer. A remote     attacker could use this flaw to make named exit     unexpectedly with an assertion failure via a specially     crafted DNS response.(CVE-2016-8864)

  - A denial of service flaw was found in the way BIND     processed a response to an ANY query. A remote attacker     could use this flaw to make named exit unexpectedly     with an assertion failure via a specially crafted DNS     response.(CVE-2016-9131)

  - A denial of service flaw was found in the way BIND     followed DNS delegations. A remote attacker could use a     specially crafted zone containing a large number of     referrals which, when looked up and processed, would     cause named to use excessive amounts of memory or     crash.(CVE-2014-8500)

  - A flaw was found in the way BIND handled trust anchor     management. A remote attacker could use this flaw to     cause the BIND daemon (named) to crash under certain     conditions.(CVE-2015-1349)

  - A denial of service flaw was found in the way BIND     parsed signature records for DNAME records. By sending     a specially crafted query, a remote attacker could use     this flaw to cause named to crash.(CVE-2016-1286)

  - A use-after-free flaw leading to denial of service was     found in the way BIND internally handled cleanup     operations on upstream recursion fetch contexts. A     remote attacker could potentially use this flaw to make     named, acting as a DNSSEC validating resolver, exit     unexpectedly with an assertion failure via a specially     crafted DNS request.(CVE-2017-3145)

  - A denial of service flaw was found in the way BIND     handled query requests when using DNS64 with     'break-dnssec yes' option. A remote attacker could use     this flaw to make named exit unexpectedly with an     assertion failure via a specially crafted DNS     request.(CVE-2017-3136)

  - A flaw was found in the way BIND handled TSIG     authentication of AXFR requests. A remote attacker,     able to communicate with an authoritative BIND server,     could use this flaw to view the entire contents of a     zone by sending a specially constructed request     packet.(CVE-2017-3142)

  - A flaw was found in the way BIND handled TSIG     authentication for dynamic updates. A remote attacker     able to communicate with an authoritative BIND server     could use this flaw to manipulate the contents of a     zone, by forging a valid TSIG or SIG(0) signature for a     dynamic update request.(CVE-2017-3143)

  - A denial of service flaw was discovered in bind     versions that include the 'deny-answer-aliases'     feature. This flaw may allow a remote attacker to     trigger an INSIST assert in named leading to     termination of the process and a denial of service     condition.(CVE-2018-5740)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Published	Updated	Severity
221206	Linux Distros 未修补的漏洞: CVE-2017-3145	Nessus	Misc.	3/4/2025	3/4/2025	high
106211	Debian DLA-1255-1：bind9 安全更新	Nessus	Debian Local Security Checks	1/22/2018	1/11/2021	high
106931	Amazon Linux AMI：bind (ALAS-2018-954)	Nessus	Amazon Linux Local Security Checks	2/22/2018	2/12/2019	high
106233	CentOS 6 : bind (CESA-2018:0101)	Nessus	CentOS Local Security Checks	1/23/2018	12/31/2019	high
106234	CentOS 7 : bind (CESA-2018:0102)	Nessus	CentOS Local Security Checks	1/23/2018	12/31/2019	high
106076	Debian DSA-4089-1 : bind9 - security update	Nessus	Debian Local Security Checks	1/17/2018	2/12/2019	high
106245	RHEL 7 : bind (RHSA-2018:0102)	Nessus	Red Hat Local Security Checks	1/23/2018	3/24/2025	high
106291	OracleVM 3.3 / 3.4 : bind (OVMSA-2018-0014)	Nessus	OracleVM Local Security Checks	1/24/2018	9/27/2019	high
106765	EulerOS 2.0 SP1 : bind (EulerOS-SA-2018-1037)	Nessus	Huawei Local Security Checks	2/13/2018	1/6/2021	high
118626	F5 Networks BIG-IP : BIND vulnerability (K08613310)	Nessus	F5 Networks Local Security Checks	11/2/2018	11/2/2023	high
127370	NewStart CGSL MAIN 4.05 : bind Vulnerability (NS-SA-2019-0123)	Nessus	NewStart CGSL Local Security Checks	8/12/2019	1/14/2021	high
127159	NewStart CGSL MAIN 5.04 : bind Vulnerability (NS-SA-2019-0011)	Nessus	NewStart CGSL Local Security Checks	8/12/2019	1/14/2021	high
124936	EulerOS Virtualization 3.0.1.0 : bind (EulerOS-SA-2019-1433)	Nessus	Huawei Local Security Checks	5/14/2019	2/18/2025	high

Detections

Analytics

Plugins Search

high

high

high

high

high

high

high

high

high

high

high

high

high