[SingCERT] Alert on ISC Bind Vulnerabilities

Published on Saturday, 08 July 2017 22:03

Background
Berkeley Internet Name Domain (BIND) is a DNS implementation solution developed by the Internet Software Consortium (ISC) that is widely used in Unix and Linux operating systems. A Domain Name System or Service or Server (DNS) acts like yellow pages for the Internet. It is used to resolve domain names such as google-public-dns-a.google.com into IP addresses like 8.8.8.8 so that they can be directed to the correct sites.

Earlier this week, a security researcher reported two severe vulnerabilities in ISC BIND that can be remotely exploited. Details of the reported vulnerabilities are explained in CVE-2017-3142 and CVE-2017-3143 (see links below). As the associated exploit codes have also been posted online, many unpatched Internet-facing ISC BIND DNS servers are at risk.

Impact
An attacker may target an unpatched system by forging a valid Transaction Signature (TSIG) to perform a dynamic update on the DNS server. The attacker may also bypass the TSIG authentication process of DNS Zone Transfer (AFXR) to retrieve information about a DNS zone thus allowing the attacker to perform further targeted attacks on a victim's system.

Affected DNS Systems
DNS systems using the following BIND versions are affected:

  • 9.4.0 to 9.8.8
  • 9.9.0 to 9.9.10-P1
  • 9.10.0 to 9.10.5-P1
  • 9.11.0 to 9.11.1-P1
  • 9.9.3-S1 to 9.9.10-S2
  • 9.10.5-S1 to 9.10.5-S
Recommendation
System administrators are strongly advised to upgrade the affected BIND versions immediately to the patched release that is the most closely related to your current version.

References
CVE-2017-3142: https://deepthought.isc.org/article/AA-01504/
CVE-2017-3143: https://deepthought.isc.org/article/AA-01503/