CVE-2017-3138

NameCVE-2017-3138
Descriptionnamed contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-957-1, DSA-3854-1
NVD severitylow (attack range: remote)
Debian Bugs860226

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bind9 (PTS)jessie1:9.9.5.dfsg-9+deb8u15fixed
jessie (security)1:9.9.5.dfsg-9+deb8u18fixed
stretch1:9.10.3.dfsg.P4-12.3+deb9u4fixed
stretch (security)1:9.10.3.dfsg.P4-12.3+deb9u5fixed
buster, bullseye, sid1:9.11.5.P4+dfsg-5.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bind9source(unstable)1:9.10.3.dfsg.P4-12.3low860226
bind9sourcejessie1:9.9.5.dfsg-9+deb8u11lowDSA-3854-1
bind9sourcewheezy1:9.8.4.dfsg.P1-6+nmu2+deb7u16lowDLA-957-1

Notes

https://kb.isc.org/article/AA-01471
Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=a636604b20cc0aaabc8edbb7595f7c1c820b7610
In practice for any Debian version applying this commit is merely
hardening, since the feature to allow only a subset of "read only"
commands was added only in 9.11.0 and before existing commands permitted
over the control channel were already be given to cause the server to stop.
The CVE-2017-3138 is barely an issue in practice anyway.

Search for package or bug name: Reporting problems