Vulnerabilities > CVE-2017-3139 - Reachable Assertion vulnerability in Redhat products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
redhat
CWE-617
nessus

Summary

A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-1202.NASL
    descriptionAn update for bind is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) Note: This issue affected only the BIND versions as shipped with Red Hat Enterprise Linux 6. This issue did not affect any upstream versions of BIND.
    last seen2020-06-01
    modified2020-06-02
    plugin id100066
    published2017-05-10
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100066
    titleCentOS 6 : bind (CESA-2017:1202)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1285.NASL
    descriptionBIND, a DNS server implementation, was found to be vulnerable to a denial of service flaw was found in the handling of DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. This issue is closely related to CVE-2017-3139. For Debian 7
    last seen2020-03-17
    modified2018-02-20
    plugin id106872
    published2018-02-20
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106872
    titleDebian DLA-1285-1 : bind9 security update
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-1582.NASL
    descriptionAn update for bind is now available for Red Hat Enterprise Linux 6.2 Advanced Update Support, Red Hat Enterprise Linux 6.4 Advanced Update Support, Red Hat Enterprise Linux 6.5 Advanced Update Support, Red Hat Enterprise Linux 6.5 Telco Extended Update Support, Red Hat Enterprise Linux 6.6 Advanced Update Support, Red Hat Enterprise Linux 6.6 Telco Extended Update Support, and Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled a query response containing CNAME or DNAME resource records in an unusual order. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3137) * A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) Red Hat would like to thank ISC for reporting CVE-2017-3137. Bug Fix(es) : * ICANN is planning to perform a Root Zone DNSSEC Key Signing Key (KSK) rollover during October 2017. Maintaining an up-to-date KSK, by adding the new root zone KSK, is essential for ensuring that validating DNS resolvers continue to function following the rollover. (BZ#1458229, BZ#1458230, BZ# 1458231, BZ#1458232, BZ#1458233)
    last seen2020-06-01
    modified2020-06-02
    plugin id101099
    published2017-06-29
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101099
    titleRHEL 6 : bind (RHSA-2017:1582)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170508_BIND_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) Note: This issue affected only the BIND versions as shipped with EL6.
    last seen2020-03-18
    modified2017-05-09
    plugin id100048
    published2017-05-09
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100048
    titleScientific Linux Security Update : bind on SL6.x i386/x86_64 (20170508)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-1202.NASL
    descriptionAn update for bind is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) Note: This issue affected only the BIND versions as shipped with Red Hat Enterprise Linux 6. This issue did not affect any upstream versions of BIND.
    last seen2020-06-01
    modified2020-06-02
    plugin id100047
    published2017-05-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100047
    titleRHEL 6 : bind (RHSA-2017:1202)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-833.NASL
    descriptionA denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139)
    last seen2020-06-01
    modified2020-06-02
    plugin id100553
    published2017-06-01
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100553
    titleAmazon Linux AMI : bind (ALAS-2017-833)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-1202.NASL
    descriptionFrom Red Hat Security Advisory 2017:1202 : An update for bind is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) Note: This issue affected only the BIND versions as shipped with Red Hat Enterprise Linux 6. This issue did not affect any upstream versions of BIND.
    last seen2020-06-01
    modified2020-06-02
    plugin id100046
    published2017-05-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100046
    titleOracle Linux 6 : bind (ELSA-2017-1202)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2017-1202.NASL
    descriptionAn update for bind is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) Note: This issue affected only the BIND versions as shipped with Red Hat Enterprise Linux 6. This issue did not affect any upstream versions of BIND. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101461
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101461
    titleVirtuozzo 6 : bind / bind-chroot / bind-devel / bind-libs / etc (VZLSA-2017-1202)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0102_BIND.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has bind packages installed that are affected by multiple vulnerabilities: - A flaw was found in the way BIND handled TSIG authentication for dynamic updates. A remote attacker able to communicate with an authoritative BIND server could use this flaw to manipulate the contents of a zone, by forging a valid TSIG or SIG(0) signature for a dynamic update request. (CVE-2017-3143) - A flaw was found in the way BIND handled TSIG authentication of AXFR requests. A remote attacker, able to communicate with an authoritative BIND server, could use this flaw to view the entire contents of a zone by sending a specially constructed request packet. (CVE-2017-3142) - A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) - A denial of service flaw was found in the way BIND handled a query response containing CNAME or DNAME resource records in an unusual order. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3137) - It was found that the lightweight resolver protocol implementation in BIND could enter an infinite recursion and crash when asked to resolve a query name which, when combined with a search list entry, exceeds the maximum allowable length. A remote attacker could use this flaw to crash lwresd or named when using the lwres statement in named.conf. (CVE-2016-2775) - A denial of service flaw was found in the way BIND handled query requests when using DNS64 with break- dnssec yes option. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request. (CVE-2017-3136) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127330
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127330
    titleNewStart CGSL MAIN 4.05 : bind Multiple Vulnerabilities (NS-SA-2019-0102)

Redhat

advisories
bugzilla
id1447743
titleCVE-2017-3139 bind: assertion failure in DNSSEC validation
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 6 is installed
      ovaloval:com.redhat.rhba:tst:20111656003
    • OR
      • AND
        • commentbind-devel is earlier than 32:9.8.2-0.62.rc1.el6_9.2
          ovaloval:com.redhat.rhsa:tst:20171202001
        • commentbind-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20170651004
      • AND
        • commentbind-sdb is earlier than 32:9.8.2-0.62.rc1.el6_9.2
          ovaloval:com.redhat.rhsa:tst:20171202003
        • commentbind-sdb is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20170651002
      • AND
        • commentbind-chroot is earlier than 32:9.8.2-0.62.rc1.el6_9.2
          ovaloval:com.redhat.rhsa:tst:20171202005
        • commentbind-chroot is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20170651008
      • AND
        • commentbind-libs is earlier than 32:9.8.2-0.62.rc1.el6_9.2
          ovaloval:com.redhat.rhsa:tst:20171202007
        • commentbind-libs is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20170651010
      • AND
        • commentbind is earlier than 32:9.8.2-0.62.rc1.el6_9.2
          ovaloval:com.redhat.rhsa:tst:20171202009
        • commentbind is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20170651006
      • AND
        • commentbind-utils is earlier than 32:9.8.2-0.62.rc1.el6_9.2
          ovaloval:com.redhat.rhsa:tst:20171202011
        • commentbind-utils is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20170651012
rhsa
idRHSA-2017:1202
released2017-05-08
severityImportant
titleRHSA-2017:1202: bind security update (Important)
rpms
  • bind-32:9.8.2-0.62.rc1.el6_9.2
  • bind-chroot-32:9.8.2-0.62.rc1.el6_9.2
  • bind-debuginfo-32:9.8.2-0.62.rc1.el6_9.2
  • bind-devel-32:9.8.2-0.62.rc1.el6_9.2
  • bind-libs-32:9.8.2-0.62.rc1.el6_9.2
  • bind-sdb-32:9.8.2-0.62.rc1.el6_9.2
  • bind-utils-32:9.8.2-0.62.rc1.el6_9.2
  • bind-32:9.7.3-8.P3.el6_2.9
  • bind-32:9.8.2-0.17.rc1.el6_4.12
  • bind-32:9.8.2-0.23.rc1.el6_5.7
  • bind-32:9.8.2-0.30.rc1.el6_6.9
  • bind-32:9.8.2-0.37.rc1.el6_7.11
  • bind-chroot-32:9.7.3-8.P3.el6_2.9
  • bind-chroot-32:9.8.2-0.17.rc1.el6_4.12
  • bind-chroot-32:9.8.2-0.23.rc1.el6_5.7
  • bind-chroot-32:9.8.2-0.30.rc1.el6_6.9
  • bind-chroot-32:9.8.2-0.37.rc1.el6_7.11
  • bind-debuginfo-32:9.7.3-8.P3.el6_2.9
  • bind-debuginfo-32:9.8.2-0.17.rc1.el6_4.12
  • bind-debuginfo-32:9.8.2-0.23.rc1.el6_5.7
  • bind-debuginfo-32:9.8.2-0.30.rc1.el6_6.9
  • bind-debuginfo-32:9.8.2-0.37.rc1.el6_7.11
  • bind-devel-32:9.7.3-8.P3.el6_2.9
  • bind-devel-32:9.8.2-0.17.rc1.el6_4.12
  • bind-devel-32:9.8.2-0.23.rc1.el6_5.7
  • bind-devel-32:9.8.2-0.30.rc1.el6_6.9
  • bind-devel-32:9.8.2-0.37.rc1.el6_7.11
  • bind-libs-32:9.7.3-8.P3.el6_2.9
  • bind-libs-32:9.8.2-0.17.rc1.el6_4.12
  • bind-libs-32:9.8.2-0.23.rc1.el6_5.7
  • bind-libs-32:9.8.2-0.30.rc1.el6_6.9
  • bind-libs-32:9.8.2-0.37.rc1.el6_7.11
  • bind-sdb-32:9.7.3-8.P3.el6_2.9
  • bind-sdb-32:9.8.2-0.17.rc1.el6_4.12
  • bind-sdb-32:9.8.2-0.23.rc1.el6_5.7
  • bind-sdb-32:9.8.2-0.30.rc1.el6_6.9
  • bind-sdb-32:9.8.2-0.37.rc1.el6_7.11
  • bind-utils-32:9.7.3-8.P3.el6_2.9
  • bind-utils-32:9.8.2-0.17.rc1.el6_4.12
  • bind-utils-32:9.8.2-0.23.rc1.el6_5.7
  • bind-utils-32:9.8.2-0.30.rc1.el6_6.9
  • bind-utils-32:9.8.2-0.37.rc1.el6_7.11