CVE-2017-3142 : Vulnerability Insights and Analysis
Learn about CVE-2017-3142, a vulnerability in BIND 9 versions that allows unauthorized zone transfers. Find out the impacted systems, exploitation mechanism, and mitigation steps.
CVE-2017-3142, published on June 29, 2017, addresses a vulnerability in BIND 9 versions that could allow attackers to bypass TSIG authentication and perform unauthorized zone transfers.
Understanding CVE-2017-3142
What is CVE-2017-3142?
If an attacker can communicate with an authoritative DNS server and knows a valid TSIG key name, they could exploit this vulnerability to manipulate the server into providing unauthorized zone transfers or accepting fake NOTIFY packets.
The Impact of CVE-2017-3142
This vulnerability could lead to unauthorized access to sensitive zone contents and potential manipulation of DNS server operations.
Technical Details of CVE-2017-3142
Vulnerability Description
The vulnerability allows attackers to bypass TSIG authentication in BIND 9 versions, potentially leading to unauthorized zone transfers.
Affected Systems and Versions
- Versions affected: 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2
Exploitation Mechanism
Attackers can carefully construct request packets to bypass TSIG authentication and manipulate DNS servers.
Mitigation and Prevention
Immediate Steps to Take
- Use Access Control Lists (ACLs) with address range validation and TSIG authentication together to mitigate the effects of this vulnerability.
Long-Term Security Practices
- Regularly update BIND to the patched releases available from ISC.
- Implement additional security measures beyond TSIG authentication.
Patching and Updates
- Upgrade to the patched releases closest to your current version:
- BIND 9 version 9.9.10-P2
- BIND 9 version 9.10.5-P2
- BIND 9 version 9.11.1-P2
- Consider using BIND Supported Preview Edition for enhanced security.