JPCERT-AT-2017-0016 JPCERT/CC 2017-04-13 <<< JPCERT/CC Alert 2017-04-13 >>> Alert Regarding Multiple Vulnerabilities in ISC BIND 9 https://www.jpcert.or.jp/english/at/2017/at170016.html I. Overview ISC BIND 9 contains multiple vulnerabilities. When these vulnerabilities are exploited, a remote attacker may cause named to terminate. ISC has rated the severity of vulnerability CVE-2017-3137 as "High", CVE-2017-3136 and CVE-2017-3138 as "Medium". For more details on these vulnerabilities, please refer to the information provided by ISC. CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;" https://kb.isc.org/article/AA-01465/0 CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME https://kb.isc.org/article/AA-01466/0 CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel https://kb.isc.org/article/AA-01471/0 If you are operating an affected version of ISC BIND 9 (authoritative server, recursive server), please consider updating to a version that addresses these vulnerabilities by referring to the information in "III. Solution". II. Affected Systems According to ISC, the following versions are affected by these vulnerabilities. - CVE-2017-3136 : Medium - Versions from 9.9.0 to 9.9.9-P6 - Versions from 9.10.0 to 9.10.4-P6 - Versions from 9.11.0 to 9.11.0-P3 - Servers which have specific configuration ("break-dnssec yes;") and are using DNS64 are also affected - Versions 9.8.x which are no longer supported are also affected - CVE-2017-3137 : High - BIND 9 Version 9.9.9-P6 - BIND 9 Version 9.10.4-P6 - BIND 9 Version 9.11.0-P3 - Recursive resolvers are at highest risk but authoritative servers are theoretically vulnerable if they perform recursion - CVE-2017-3138 : Medium - Versions from 9.9.9 to 9.9.9-P7 - Versions from 9.10.4 to 9.10.4-P7 - Versions from 9.11.0 to 9.11.0-P4 - Servers which accept remote input from control channel are also affected The affected versions differ for each vulnerability. For more details, please refer to the following: BIND 9 Security Vulnerability Matrix https://kb.isc.org/article/AA-00913/ If you are using BIND provided by a distributor, please refer to the information provided by that distributor. III. Solution ISC has released versions of ISC BIND that address these vulnerabilities. Distributors are likely to provide their own versions that address these vulnerabilities. Consider updating to an updated version after thorough testing. Versions that address these vulnerabilities are as follows: ISC BIND - BIND 9 version 9.9.9-P8 - BIND 9 version 9.10.4-P8 - BIND 9 version 9.11.0-P5 IV. References US-CERT ISC Releases Security Updates for BIND https://www.us-cert.gov/ncas/current-activity/2017/04/12/ISC-Releases-Security-Updates-BIND Japan Registry Services (JPRS) (Urgent) Vulnerability in BIND 9.X (DNS Service Suspension) (CVE-2017-3137) (Japanese) - Strongly recommended to update the version - https://jprs.jp/tech/security/2017-04-13-bind9-vuln-cname-dname.html Japan Registry Services (JPRS) Vulnerability in BIND 9.X (DNS Service Suspension) (CVE-2017-3136) (Japanese) - Servers which have specific configuration ("break-dnssec yes;") and are using DNS64 are also affected; Recommended to update the version - https://jprs.jp/tech/security/2017-04-13-bind9-vuln-dns64.html Japan Registry Services (JPRS) Vulnerability in BIND 9.x (DNS Service Suspension) (CVE-2017-3138) (Japanese) - Recommended to update the version - https://jprs.jp/tech/security/2017-04-13-bind9-vuln-control-channel.html If you have any information regarding this alert, please contact JPCERT/CC. ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/