NULL pointer dereference in ISC BIND - CVE-2017-3135
Published: February 9, 2017 / Updated: February 10, 2017
Vulnerability identifier: #VU5674
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-3135
CWE-ID: CWE-476
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ISC
Affected software:
ISC BIND
ISC BIND
Detailed vulnerability description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference error when parsing DNS queries, if ISC BIND is configured with Response Policy Zones (RPZ) and DNS64 to rewrite query responses. A remote unauthenticated attacker can send specially crafted DNS queries, trigger NULL pointer dereference and cause denial of service.
Successful exploitation of the vulnerability will result in DoS attack against affected daemon.
How to mitigate CVE-2017-3135
Install the following versions to resolve this issue:
- BIND 9 version 9.9.9-P6
- BIND 9 version 9.10.4-P6
- BIND 9 version 9.11.0-P3
- BIND 9 version 9.9.9-S8