Vulnerabilities > CVE-2017-3139 - Reachable Assertion vulnerability in Redhat products

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

redhat

CWE-617

nessus

NVD

Published: 2019-04-09

Updated: 2021-05-14

Summary

A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response.

Vulnerable Configurations

Part	Description	Count
OS	Redhat Redhat Enterprise Linux Server EUS 6.7 Redhat Enterprise Linux Server TUS 6.6 Redhat Enterprise Linux Server TUS 6.5 Redhat Enterprise Linux Server AUS 6.6 Redhat Enterprise Linux Server AUS 6.2 Redhat Enterprise Linux Server AUS 6.4 Redhat Enterprise Linux Server AUS 6.5	7

Common Weakness Enumeration (CWE)

CWE-617 - Reachable Assertion

Nessus

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2017-1202.NASL
description	An update for bind is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) Note: This issue affected only the BIND versions as shipped with Red Hat Enterprise Linux 6. This issue did not affect any upstream versions of BIND.
last seen	2020-06-01
modified	2020-06-02
plugin id	100066
published	2017-05-10
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100066
title	CentOS 6 : bind (CESA-2017:1202)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1285.NASL
description	BIND, a DNS server implementation, was found to be vulnerable to a denial of service flaw was found in the handling of DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. This issue is closely related to CVE-2017-3139. For Debian 7
last seen	2020-03-17
modified	2018-02-20
plugin id	106872
published	2018-02-20
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106872
title	Debian DLA-1285-1 : bind9 security update

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2017-1582.NASL
description	An update for bind is now available for Red Hat Enterprise Linux 6.2 Advanced Update Support, Red Hat Enterprise Linux 6.4 Advanced Update Support, Red Hat Enterprise Linux 6.5 Advanced Update Support, Red Hat Enterprise Linux 6.5 Telco Extended Update Support, Red Hat Enterprise Linux 6.6 Advanced Update Support, Red Hat Enterprise Linux 6.6 Telco Extended Update Support, and Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled a query response containing CNAME or DNAME resource records in an unusual order. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3137) * A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) Red Hat would like to thank ISC for reporting CVE-2017-3137. Bug Fix(es) : * ICANN is planning to perform a Root Zone DNSSEC Key Signing Key (KSK) rollover during October 2017. Maintaining an up-to-date KSK, by adding the new root zone KSK, is essential for ensuring that validating DNS resolvers continue to function following the rollover. (BZ#1458229, BZ#1458230, BZ# 1458231, BZ#1458232, BZ#1458233)
last seen	2020-06-01
modified	2020-06-02
plugin id	101099
published	2017-06-29
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/101099
title	RHEL 6 : bind (RHSA-2017:1582)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20170508_BIND_ON_SL6_X.NASL
description	Security Fix(es) : - A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) Note: This issue affected only the BIND versions as shipped with EL6.
last seen	2020-03-18
modified	2017-05-09
plugin id	100048
published	2017-05-09
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100048
title	Scientific Linux Security Update : bind on SL6.x i386/x86_64 (20170508)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2017-1202.NASL
description	An update for bind is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) Note: This issue affected only the BIND versions as shipped with Red Hat Enterprise Linux 6. This issue did not affect any upstream versions of BIND.
last seen	2020-06-01
modified	2020-06-02
plugin id	100047
published	2017-05-09
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100047
title	RHEL 6 : bind (RHSA-2017:1202)

NASL family	Amazon Linux Local Security Checks
NASL id	ALA_ALAS-2017-833.NASL
description	A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139)
last seen	2020-06-01
modified	2020-06-02
plugin id	100553
published	2017-06-01
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100553
title	Amazon Linux AMI : bind (ALAS-2017-833)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2017-1202.NASL
description	From Red Hat Security Advisory 2017:1202 : An update for bind is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) Note: This issue affected only the BIND versions as shipped with Red Hat Enterprise Linux 6. This issue did not affect any upstream versions of BIND.
last seen	2020-06-01
modified	2020-06-02
plugin id	100046
published	2017-05-09
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100046
title	Oracle Linux 6 : bind (ELSA-2017-1202)

NASL family	Virtuozzo Local Security Checks
NASL id	VIRTUOZZO_VZLSA-2017-1202.NASL
description	An update for bind is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) Note: This issue affected only the BIND versions as shipped with Red Hat Enterprise Linux 6. This issue did not affect any upstream versions of BIND. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	101461
published	2017-07-13
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/101461
title	Virtuozzo 6 : bind / bind-chroot / bind-devel / bind-libs / etc (VZLSA-2017-1202)

NASL family	NewStart CGSL Local Security Checks
NASL id	NEWSTART_CGSL_NS-SA-2019-0102_BIND.NASL
description	The remote NewStart CGSL host, running version MAIN 4.05, has bind packages installed that are affected by multiple vulnerabilities: - A flaw was found in the way BIND handled TSIG authentication for dynamic updates. A remote attacker able to communicate with an authoritative BIND server could use this flaw to manipulate the contents of a zone, by forging a valid TSIG or SIG(0) signature for a dynamic update request. (CVE-2017-3143) - A flaw was found in the way BIND handled TSIG authentication of AXFR requests. A remote attacker, able to communicate with an authoritative BIND server, could use this flaw to view the entire contents of a zone by sending a specially constructed request packet. (CVE-2017-3142) - A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) - A denial of service flaw was found in the way BIND handled a query response containing CNAME or DNAME resource records in an unusual order. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3137) - It was found that the lightweight resolver protocol implementation in BIND could enter an infinite recursion and crash when asked to resolve a query name which, when combined with a search list entry, exceeds the maximum allowable length. A remote attacker could use this flaw to crash lwresd or named when using the lwres statement in named.conf. (CVE-2016-2775) - A denial of service flaw was found in the way BIND handled query requests when using DNS64 with break- dnssec yes option. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request. (CVE-2017-3136) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	127330
published	2019-08-12
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127330
title	NewStart CGSL MAIN 4.05 : bind Multiple Vulnerabilities (NS-SA-2019-0102)

Redhat

advisories

bugzilla

id	1447743
title	CVE-2017-3139 bind: assertion failure in DNSSEC validation

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 6 is installed
oval oval:com.redhat.rhba:tst:20111656003

AND

comment bind-devel is earlier than 32:9.8.2-0.62.rc1.el6_9.2
oval oval:com.redhat.rhsa:tst:20171202001
comment bind-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20170651004

AND
comment bind-sdb is earlier than 32:9.8.2-0.62.rc1.el6_9.2
oval oval:com.redhat.rhsa:tst:20171202003
comment bind-sdb is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20170651002

AND

comment bind-chroot is earlier than 32:9.8.2-0.62.rc1.el6_9.2
oval oval:com.redhat.rhsa:tst:20171202005
comment bind-chroot is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20170651008

AND
comment bind-libs is earlier than 32:9.8.2-0.62.rc1.el6_9.2
oval oval:com.redhat.rhsa:tst:20171202007
comment bind-libs is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20170651010
AND
comment bind is earlier than 32:9.8.2-0.62.rc1.el6_9.2
oval oval:com.redhat.rhsa:tst:20171202009
comment bind is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20170651006

AND

comment bind-utils is earlier than 32:9.8.2-0.62.rc1.el6_9.2
oval oval:com.redhat.rhsa:tst:20171202011
comment bind-utils is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20170651012

rhsa

id	RHSA-2017:1202
released	2017-05-08
severity	Important
title	RHSA-2017:1202: bind security update (Important)

rpms

bind-32:9.8.2-0.62.rc1.el6_9.2
bind-chroot-32:9.8.2-0.62.rc1.el6_9.2
bind-debuginfo-32:9.8.2-0.62.rc1.el6_9.2
bind-devel-32:9.8.2-0.62.rc1.el6_9.2
bind-libs-32:9.8.2-0.62.rc1.el6_9.2
bind-sdb-32:9.8.2-0.62.rc1.el6_9.2
bind-utils-32:9.8.2-0.62.rc1.el6_9.2
bind-32:9.7.3-8.P3.el6_2.9
bind-32:9.8.2-0.17.rc1.el6_4.12
bind-32:9.8.2-0.23.rc1.el6_5.7
bind-32:9.8.2-0.30.rc1.el6_6.9
bind-32:9.8.2-0.37.rc1.el6_7.11
bind-chroot-32:9.7.3-8.P3.el6_2.9
bind-chroot-32:9.8.2-0.17.rc1.el6_4.12
bind-chroot-32:9.8.2-0.23.rc1.el6_5.7
bind-chroot-32:9.8.2-0.30.rc1.el6_6.9
bind-chroot-32:9.8.2-0.37.rc1.el6_7.11
bind-debuginfo-32:9.7.3-8.P3.el6_2.9
bind-debuginfo-32:9.8.2-0.17.rc1.el6_4.12
bind-debuginfo-32:9.8.2-0.23.rc1.el6_5.7
bind-debuginfo-32:9.8.2-0.30.rc1.el6_6.9
bind-debuginfo-32:9.8.2-0.37.rc1.el6_7.11
bind-devel-32:9.7.3-8.P3.el6_2.9
bind-devel-32:9.8.2-0.17.rc1.el6_4.12
bind-devel-32:9.8.2-0.23.rc1.el6_5.7
bind-devel-32:9.8.2-0.30.rc1.el6_6.9
bind-devel-32:9.8.2-0.37.rc1.el6_7.11
bind-libs-32:9.7.3-8.P3.el6_2.9
bind-libs-32:9.8.2-0.17.rc1.el6_4.12
bind-libs-32:9.8.2-0.23.rc1.el6_5.7
bind-libs-32:9.8.2-0.30.rc1.el6_6.9
bind-libs-32:9.8.2-0.37.rc1.el6_7.11
bind-sdb-32:9.7.3-8.P3.el6_2.9
bind-sdb-32:9.8.2-0.17.rc1.el6_4.12
bind-sdb-32:9.8.2-0.23.rc1.el6_5.7
bind-sdb-32:9.8.2-0.30.rc1.el6_6.9
bind-sdb-32:9.8.2-0.37.rc1.el6_7.11
bind-utils-32:9.7.3-8.P3.el6_2.9
bind-utils-32:9.8.2-0.17.rc1.el6_4.12
bind-utils-32:9.8.2-0.23.rc1.el6_5.7
bind-utils-32:9.8.2-0.30.rc1.el6_6.9
bind-utils-32:9.8.2-0.37.rc1.el6_7.11

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Redhat

References