CVE-2017-3143 : Security Advisory and Response

Understanding CVE-2017-3143

What is CVE-2017-3143?

A potential attacker with the ability to send and receive messages to a DNS server that has authority over a specific zone and service, and possessing knowledge of a valid TSIG key name, may be capable of manipulating BIND to accept an unauthorized dynamic update. This vulnerability affects various versions of BIND.

The Impact of CVE-2017-3143

This vulnerability has a CVSS base score of 7.5, indicating a high severity issue with a low attack complexity. It can lead to unauthorized dynamic updates in affected BIND versions.

Technical Details of CVE-2017-3143

Vulnerability Description

An attacker exploiting this vulnerability can manipulate BIND into accepting unauthorized dynamic updates by leveraging a valid TSIG key name for the targeted zone and service.

Affected Systems and Versions

BIND 9.4.0 to 9.8.8
BIND 9.9.0 to 9.9.10-P1
BIND 9.10.0 to 9.10.5-P1
BIND 9.11.0 to 9.11.1-P1
BIND 9.9.3-S1 to 9.9.10-S2
BIND 9.10.5-S1 to 9.10.5-S2

Exploitation Mechanism

The vulnerability can be exploited by an attacker who can communicate with an authoritative DNS server and possesses knowledge of a valid TSIG key name for the targeted zone and service.

Mitigation and Prevention

Immediate Steps to Take

Upgrade to the patched release closest to your current BIND version.
Implement Access Control Lists (ACLs) requiring address range validation and TSIG authentication.

Long-Term Security Practices

Regularly update BIND to the latest versions.
Implement a comprehensive security policy for DNS server configurations.

Patching and Updates

Upgrade to the following patched releases:

BIND 9 version 9.9.10-P2
BIND 9 version 9.10.5-P2
BIND 9 version 9.11.1-P2

For BIND Supported Preview Edition users:

BIND 9 version 9.9.10-S3
BIND 9 version 9.10.5-S3