CVE-2017-3140 : What You Need to Know
Learn about CVE-2017-3140 where BIND can endlessly loop while handling a query due to RPZ rule errors. Find mitigation steps and affected versions here.
Understanding CVE-2017-3140
What is CVE-2017-3140?
If the configuration of named incorporates Response Policy Zones (RPZ), there is a possibility of encountering an error in processing certain types of rules. This error can result in a situation where BIND continuously loops while managing a query. This issue impacts BIND versions 9.9.10, 9.10.5, 9.11.0 to 9.11.1, 9.9.10-S1, and 9.10.5-S1.
The Impact of CVE-2017-3140
A server configured with RPZ, NSDNAME, or NSIP policy rules can be vulnerable to a degradation of service. Successful exploitation can cause BIND to enter a state where it continuously loops while processing a query, leading to a substantial degradation in service.
Technical Details of CVE-2017-3140
Vulnerability Description
If named is configured to use Response Policy Zones (RPZ), an error processing certain rule types can cause BIND to endlessly loop while handling a query.
Affected Systems and Versions
- Product: BIND 9
- Vendor: ISC
- Versions: 9.9.10, 9.10.5, 9.11.0 to 9.11.1, 9.9.10-S1, 9.10.5-S1
Exploitation Mechanism
- Attack Complexity: HIGH
- Attack Vector: NETWORK
- Availability Impact: LOW
- Privileges Required: NONE
- Scope: UNCHANGED
- User Interaction: NONE
- Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Mitigation and Prevention
Immediate Steps to Take
- Upgrade to the patched release most closely related to your current version of BIND.
- Avoid using NSDNAME or NSIP RPZ rule types to prevent the vulnerability.
Long-Term Security Practices
- Regularly update BIND to the latest version to ensure security.
- Implement network security measures to detect and prevent potential attacks.
Patching and Updates
- BIND 9 version 9.9.10-P1
- BIND 9 version 9.10.5-P1
- BIND 9 version 9.11.1-P1
- BIND 9 version 9.9.10-S2
- BIND 9 version 9.10.5-S2