47 replies to this topic

[AplusWebMaster]

FYI...

CVE-2017-3143: An error in TSIG authentication can permit unauthorized dynamic updates
- https://kb.isc.org/article/AA-01503
2017-06-29
CVE: CVE-2017-3143
Document Version: 2.0
Posting date: 29 June 2017
Program Impacted: BIND
Versions affected: 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2
Severity: High
Exploitable: Remotely
Description: An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update.
Impact: A server that relies solely on TSIG keys with no other address-based ACL protection could be vulnerable to malicious zone content manipulation using this technique...
Workarounds: The effects of this vulnerability can be mitigated by using Access Control Lists (ACLs) that require both address range validation and use of TSIG authentication in conjunction.  For information on how to configure this type of compound authentication control, please see:
- https://kb.isc.org/a...s-and-keys.html
Administrators who have made use of named.conf option "update-policy local;" should refer to the Administrator Reference Manual (ARM) for details of the automatic update policy that will be established and to assess whether or not this conveys any additional risk to their server.  (Note that this option is not enabled by default).
Active exploits: No known active exploits but a similar issue was announced publicly on 23 June 2017 by another DNS server software provider.
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads.
    BIND 9 version 9.9.10-P2
    BIND 9 version 9.10.5-P2
    BIND 9 version 9.11.1-P2
BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.
    BIND 9 version 9.9.10-S3
    BIND 9 version 9.10.5-S3 ...

CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone transfers
- https://kb.isc.org/article/AA-01504
2017-06-29 ...

- http://www.securityt....com/id/1038809
CVE Reference: CVE-2017-3142, CVE-2017-3143
Jun 29 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.4.0 - 9.8.8, 9.9.0 - 9.9.10-P1, 9.10.0 - 9.10.5-P1, 9.11.0 - 9.11.1-P1, 9.9.3-S1 - 9.9.10-S2, 9.10.5-S1 - 9.10.5-S2
Description: Two vulnerabilities were reported in BIND. A remote user can bypass TSIG authentication to transfer a zone or modify zone contents...
Impact: A remote user can bypass authentication to transfer a zone or modify zone contents.
Solution: The vendor has issued a fix (9.9.10-P2, 9.10.5-P2, 9.11.1-P2).
The vendor advisories are available at:
- https://kb.isc.org/article/AA-01503
- https://kb.isc.org/article/AA-01504
 

[AplusWebMaster]

FYI...

CVE-2017-3144: Failure to properly clean up closed OMAPI connections can exhaust available sockets
- https://kb.isc.org/article/AA-01541
Posting date: 16 Jan 2018
Program Impacted: DHCP
Versions affected: 4.1.0 to 4.1-ESV-R15, 4.2.0 to 4.2.8, 4.3.0 to 4.3.6.  
Older versions may also be affected but are well beyond their end-of-life (EOL).  
Releases prior to 4.1.0 have not been tested.
Severity: Medium
Exploitable: Remotely (if attackers are permitted access to a server's OMAPI control port)
Description: A vulnerability stemming from failure to properly clean up closed OMAPI connections can lead to exhaustion of the pool of socket descriptors available to the DHCP server.
Impact: By intentionally exploiting this vulnerability an attacker who is permitted to establish connections to the OMAPI control port can exhaust the pool of socket descriptors available to the DHCP server.
Once exhausted, the server will not accept additional connections, potentially denying access to legitimate connections from the server operator. While the server will continue to receive and service DHCP client requests, the operator can be blocked from the ability to use OMAPI to control server state, add new lease reservations, etc.
Workarounds: The recommended remedy is to disallow access to the OMAPI control port from unauthorized clients (in accordance with best practices for server operation).
Active exploits: None known.
Solution: ISC has written a patch which properly cleans up closed socket connections and will include it in future maintenance releases of ISC DHCP.  The patch is also available upon request (to security-officer@isc.org) to parties who want to incorporate it into their own code before the next ISC maintenance releases.  However, we do not plan to issue a special security patch release of DHCP to address this particular issue because we have concluded that the workaround of denying OMAPI connections from unauthorized client addresses should be sufficient in almost all cases and is a recommended best practice for server operation...
Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected.  (For current information on which versions are actively supported, please see:
- http://www.isc.org/downloads/
Last modified: January 16, 2018 at 1:01 pm
___

CVE-2017-3145: Improper fetch cleanup sequencing in the resolver can cause named to crash
- https://kb.isc.org/article/AA-01542
2018-01-16
Program Impacted: BIND
Versions affected: 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, 9.12.0a1 to 9.12.0rc1
Severity: High
Exploitable: Remotely
Description: BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named.
Impact: While this bug has existed in BIND since 9.0.0, there are no known code paths leading to it in ISC releases prior to those containing the fix for CVE-2017-3137.  Thus while all instances of BIND ought to be patched, only ISC versions [9.9.9-P8 to 9.9.11, 9.10.4-P8 to 9.10.6, 9.11.0-P5 to 9.11.2, 9.9.9-S10 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, and 9.12.0a1 to 9.12.0rc1] acting as DNSSEC validating resolvers are currently known to crash due to this bug.  The known crash is an assertion failure in netaddr.c...
Active exploits: No known active exploits but crashes due to this bug have been reported by multiple parties.
Solution: Upgrade to the patched release most closely related to your current version of BIND.  These can all be downloaded from:
- http://www.isc.org/downloads.
    BIND 9 version 9.9.11-P1
    BIND 9 version 9.10.6-P1
    BIND 9 version 9.11.2-P1
    BIND 9 version 9.12.0rc2
BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.
    BIND 9 version 9.9.11-S2
    BIND 9 version 9.10.6-S2
___

- https://www.security....com/id/1040195
CVE Reference: CVE-2017-3137, CVE-2017-3145
Jan 16 2018
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Impact: A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.11-P1, 9.10.6-P1, 9.11.2-P1, 9.12.0rc2).
The vendor advisory is available at: https://kb.isc.org/article/AA-01542
___

- https://www.us-cert....ories-DHCP-BIND
Jan 16, 2018
___

- http://www.securityw...d-security-flaw
Jan 17, 2018
 

Edited by AplusWebMaster, 17 January 2018 - 11:53 AM.

[AplusWebMaster]

FYI...

CVE-2018-5734: A malformed request can trigger an assertion failure in badcache.c
- https://kb.isc.org/a...4/CVE-2018-5734
Posting date: 28 Feb 2018
Program Impacted: BIND
Versions affected: 9.10.5-S1 to 9.10.5-S4, 9.10.6-S1, 9.10.6-S2
Severity: High
Exploitable: Remotely
Description: While handling a particular type of malformed packet BIND erroneously selects a SERVFAIL rcode instead of a FORMERR rcode. If the receiving view has the SERVFAIL cache feature enabled, this can trigger an assertion failure in badcache.c when the request doesn't contain all of the expected information.
Impact: Servers running the affected versions (9.10.5-S1 to 9.10.5-S4, 9.10.6-S1, and 9.10.6-S2) are vulnerable if they allow recursion, unless the SERVFAIL cache is disabled for the receiving view...
Workarounds: Disabling the SERVFAIL cache with 'servfail-ttl 0;' will prevent taking the code path that leads to the assertion failure...
Solution: Upgrade to the patched release...
Related Documents: See our BIND9 Security Vulnerability Matrix at:
- https://kb.isc.org/article/AA-00913...
___

CVE-2018-5732: A specially constructed response from a malicious server can cause a buffer overflow in dhclient
- https://kb.isc.org/a...5/CVE-2018-5732
Posting date: 28 February 2018
Program Impacted: DHCP
Versions affected: 4.1.0 -> 4.1-ESV-R15, 4.2.0 -> 4.2.8, 4.3.0 -> 4.3.6, 4.4.0
Severity: High
Exploitable: Remotely
Description: Failure to properly bounds check a buffer used for processing DHCP options allows a malicious server (or an entity masquerading as a server) to cause a buffer overflow (and resulting crash) in dhclient by sending a response containing a specially
options section.
Impact: Affected versions of dhclient should crash due to an out-of-bounds memory access if they receive and process a triggering response packet.  However, buffer overflow outcomes can vary by operating system and outcomes such as such as remote code execution may be possible in some circumstances.  Where they are present, operating system mitigation strategies such as address space layout randomization (ASLR) should make it difficult to leverage this vulnerability to achieve remote code execution but we can not rule it out as impossible.  The safest course is to patch dhclient so that the buffer overflow cannot occur...
Solution:  Upgrade to the patched release most closely related to your current version of DHCP.
    DHCP 4.1-ESV-R15-P1
    DHCP 4.3.6-P1
    DHCP 4.4.1
Knowledge Base article: https://kb.isc.org/article/AA-01565
___

- https://www.security....com/id/1040436
- https://www.security....com/id/1040437
- https://www.security....com/id/1040438

- https://www.us-cert....ories-DHCP-BIND
March 01, 2018
 

Edited by AplusWebMaster, 02 March 2018 - 02:20 PM.