CVE-2017-3143

Name of the Vulnerable Software and Affected Versions BIND versions 9.4.0 through 9.8.8 BIND versions 9.9.0 through 9.9.10-P1 BIND versions 9.10.0 through 9.10.5-P1 BIND versions 9.11.0 through 9.11.1-P1 BIND versions 9.9.3-S1 through 9.9.10-S2 BIND versions 9.10.5-S1 through 9.10.5-S2

Description The issue is related to errors in the implementation of the TSIG authentication procedure in the BIND DNS server. An attacker who can send and receive messages to an authoritative DNS server and has knowledge of a valid TSIG key name for the targeted zone and service may be able to manipulate BIND into accepting an unauthorized dynamic update. This could allow the attacker to bypass TSIG authentication and obtain a legitimate signature for arbitrary messages using a specially crafted TSIG sequence.

Recommendations For BIND versions 9.4.0 through 9.8.8, update to a version outside of this range to resolve the issue. For BIND versions 9.9.0 through 9.9.10-P1, update to a version outside of this range to resolve the issue. For BIND versions 9.10.0 through 9.10.5-P1, update to a version outside of this range to resolve the issue. For BIND versions 9.11.0 through 9.11.1-P1, update to a version outside of this range to resolve the issue. For BIND versions 9.9.3-S1 through 9.9.10-S2, update to a version outside of this range to resolve the issue. For BIND versions 9.10.5-S1 through 9.10.5-S2, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the TSIG authentication mechanism until a patch is available.