CVE-2017-3138 : Security Advisory and Response
Learn about CVE-2017-3138, a vulnerability in BIND 9 software that allows attackers to crash servers by sending empty command strings. Find mitigation steps and upgrade recommendations here.
Named software in BIND 9 versions contains a bug that can cause the server to crash when receiving an empty command string.
Understanding CVE-2017-3138
This CVE involves a vulnerability in the BIND software that allows attackers to crash the server by sending specific commands.
What is CVE-2017-3138?
The named software in BIND 9 versions has a bug that triggers a server crash when it receives an empty command string through the control channel.
The Impact of CVE-2017-3138
This vulnerability has a CVSS base score of 6.5, indicating a medium severity issue with a high impact on availability. Attackers can exploit this flaw to cause servers to crash.
Technical Details of CVE-2017-3138
The technical aspects of this CVE include:
Vulnerability Description
A bug in the named software allows attackers to crash the server by sending an empty command string through the control channel.
Affected Systems and Versions
- Versions affected: 9.9.9-P7, 9.9.10rc2, 9.10.4-P7, 9.10.5rc2, 9.11.0-P4, 9.11.1rc2, 9.9.9-S9
- Product: BIND 9 by ISC
Exploitation Mechanism
Attackers can exploit this vulnerability by sending a null command string to the server, triggering a crash.
Mitigation and Prevention
To address CVE-2017-3138, consider the following steps:
Immediate Steps to Take
- Upgrade to the patched release closest to your current version
- Limit access to the control channel using network ACLs or TSIG keys
Long-Term Security Practices
- Regularly update BIND software to the latest version
- Implement network security measures to restrict unauthorized access
Patching and Updates
- Download the patched releases from ISC's official website
- Scheduled maintenance releases contain fixes for this vulnerability