CVE-2017-3136 Explained : Impact and Mitigation
Learn about CVE-2017-3136, a vulnerability in BIND 9 that allows attackers to trigger denial-of-service by crafting specific queries. Find out the impacted versions and steps to mitigate the issue.
A server that employs DNS64 may experience an assertion failure and terminate if it receives a query with specific characteristics. To exploit this vulnerability and cause denial-of-service, an attacker could intentionally craft a query that satisfies the prerequisites mentioned, provided that the server is configured to use the DNS64 feature. This issue affects various versions of BIND.
Understanding CVE-2017-3136
This CVE involves an error handling synthesized records that could lead to an assertion failure when using DNS64 with the option "break-dnssec yes;".
What is CVE-2017-3136?
This vulnerability allows an attacker to trigger a denial-of-service condition on servers using DNS64 by sending a specially crafted query.
The Impact of CVE-2017-3136
- CVSS Base Score: 5.9 (Medium)
- Attack Vector: Network
- Attack Complexity: High
- Availability Impact: High
- Privileges Required: None
Technical Details of CVE-2017-3136
This section provides more in-depth technical insights into the vulnerability.
Vulnerability Description
A query with specific characteristics can cause a server using DNS64 to encounter an assertion failure and terminate, potentially leading to a denial-of-service scenario.
Affected Systems and Versions
- Product: BIND 9
- Vendor: ISC
- Versions: 9.8.0 to 9.8.8-P1, 9.9.0 to 9.9.9-P6, 9.9.10b1 to 9.9.10rc1, 9.10.0 to 9.10.4-P6, 9.10.5b1 to 9.10.5rc1, 9.11.0 to 9.11.0-P3, 9.11.1b1 to 9.11.1rc1, 9.9.3-S1 to 9.9.9-S8.
Exploitation Mechanism
An attacker can exploit this vulnerability by crafting a specific query that triggers the assertion failure on servers configured to use DNS64 with the "break-dnssec yes;" option.
Mitigation and Prevention
It is crucial to take immediate steps to address and prevent the exploitation of this vulnerability.
Immediate Steps to Take
- Upgrade to the patched release closest to your current BIND version.
- Ensure servers are not configured to use DNS64 with the "break-dnssec yes;" option.
Long-Term Security Practices
- Regularly update BIND to the latest versions to mitigate known vulnerabilities.
- Implement network security measures to detect and block malicious queries.
Patching and Updates
- Download the patched releases from the ISC website.
- Consider using BIND Supported Preview Edition for additional support.
- Look out for upcoming maintenance releases that address this vulnerability.