CVE-2017-3142

Name of the Vulnerable Software and Affected Versions BIND versions 9.4.0 through 9.8.8 BIND versions 9.9.0 through 9.9.10-P1 BIND versions 9.10.0 through 9.10.5-P1 BIND versions 9.11.0 through 9.11.1-P1 BIND versions 9.9.3-S1 through 9.9.10-S2 BIND versions 9.10.5-S1 through 9.10.5-S2

Description The issue allows an attacker who can send and receive messages to an authoritative DNS server and has knowledge of a valid TSIG key name to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. This could result in providing an AXFR of a zone to an unauthorized recipient or accepting bogus NOTIFY packets. An attacker could exploit this by sending specially crafted data to bypass TSIG authentication and manipulate the server into accepting an unauthorized dynamic update.

Recommendations For BIND versions 9.4.0 through 9.8.8, update to a version outside of this range to mitigate the risk. For BIND versions 9.9.0 through 9.9.10-P1, update to a version outside of this range to mitigate the risk. For BIND versions 9.10.0 through 9.10.5-P1, update to a version outside of this range to mitigate the risk. For BIND versions 9.11.0 through 9.11.1-P1, update to a version outside of this range to mitigate the risk. For BIND versions 9.9.3-S1 through 9.9.10-S2, update to a version outside of this range to mitigate the risk. For BIND versions 9.10.5-S1 through 9.10.5-S2, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the TSIG key name and implementing additional ACL protection to minimize the risk of exploitation.