Main Vulnerability Database Vulnerabilities #VU5674

#VU5674 NULL pointer dereference in ISC BIND - CVE-2017-3135

Published: February 9, 2017 / Updated: February 10, 2017

Vulnerability identifier: #VU5674

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-3135

CWE-ID: CWE-476

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
ISC BIND

Software vendor:
ISC

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference error when parsing DNS queries, if ISC BIND is configured with Response Policy Zones (RPZ) and DNS64 to rewrite query responses. A remote unauthenticated attacker can send specially crafted DNS queries, trigger NULL pointer dereference and cause denial of service.

Successful exploitation of the vulnerability will result in DoS attack against affected daemon.

Remediation

Install the following versions to resolve this issue:

BIND 9 version 9.9.9-P6
BIND 9 version 9.10.4-P6
BIND 9 version 9.11.0-P3
BIND 9 version 9.9.9-S8

External links

https://kb.isc.org/article/AA-01453

#VU5674 NULL pointer dereference in ISC BIND - CVE-2017-3135

Description

Remediation

External links

Please verify you're human