#VU16152 Assertion failure in ISC BIND


Published: 2018-11-28

Vulnerability identifier: #VU16152

Vulnerability risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-3136

CWE-ID: CWE-617

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ISC BIND
Server applications / DNS servers

Vendor: ISC

Description
The vulnerability allows a remote authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the servers are configured to use DNS64 and if the option "break-dnssec yes;" is in use. A remote attacker can supply specially crafted queries, if it was configured to use the DNS64 feature and other preconditions were met, trigger a server using DNS64 assertion failure and cause the service to crash.

Mitigation
The vulnerability has been addressed in the versions 9.9.9-P8, 9.10.4-P8, 9.11.0-P5.

Vulnerable software versions

ISC BIND: 9.9.9 - 9.11.0b3

External links
http://kb.isc.org/docs/aa-01465

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell EMC Unisphere Central
OpenSUSE Linux update for bind
OpenSUSE Linux update for bind
Gentoo update for BIND
Debian update for bind9
Arch Linux update for bind
Amazon Linux AMI update for bind
Assertion failure in bind (Alpine package)
Red Hat update for bind
OpenSUSE Linux update for bind