Published: 16/01/2019 Updated: 09/10/2019

CVSS v2 Base Score: 3.5 | Impact Score: 2.9 | Exploitability Score: 6.8

CVSS v3 Base Score: 5.3 | Impact Score: 3.6 | Exploitability Score: 1.6

VMScore: 314

Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P

named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9.

Vulnerable Product	Search on Vulmon	Subscribe to Product
isc bind 9.11.1
isc bind 9.11.0
isc bind 9.10.4
isc bind 9.9.10
isc bind 9.10.5
isc bind 9.9.9
netapp data ontap edge -
netapp oncommand balance -
netapp element software -
debian debian linux 8.0

Several security issues were fixed in Bind ...

Several vulnerabilities were discovered in BIND, a DNS server implementation The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-3136 Oleg Gorokhov of Yandex discovered that BIND does not properly handle certain queries when using DNS64 with the "break-dnssec yes;" option, allowing a remote att ...

Debian Bug report logs - #860224 bind9: CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;" Package: src:bind9; Maintainer for src:bind9 is Debian DNS Team <team+dns@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Da ...

Debian Bug report logs - #860226 bind9: CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel Package: src:bind9; Maintainer for src:bind9 is Debian DNS Team <team+dns@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, ...

Debian Bug report logs - #889285 bind9: CVE-2018-5735: assertion failure in validatorc:1858 Package: bind9; Maintainer for bind9 is Debian DNS Team <team+dns@trackerdebianorg>; Source for bind9 is src:bind9 (PTS, buildd, popcon) Reported by: Vladislav Kurz <vladislavkurz@webstepnet> Date: Sat, 3 Feb 2018 10:15: ...

Debian Bug report logs - #860225 bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME Package: src:bind9; Maintainer for src:bind9 is Debian DNS Team <team+dns@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu ...

A denial of service flaw was found in the way BIND processed control channel commands A remote attacker with access to the BIND control channel could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted command ...

A security issue has been found in the bind named daemon, that will exit with a "require" assertion failure if it receives a null command string on its control channel The control channel is not enabled by default and is usually restricted to a few remote hosts via an ACL and/or a transaction key ...

CWE-617 https://kb.isc.org/docs/aa-01471 https://www.debian.org/security/2017/dsa-3854 https://security.netapp.com/advisory/ntap-20180802-0002/https://security.gentoo.org/glsa/201708-01 http://www.securitytracker.com/id/1038260 http://www.securityfocus.com/bid/97657 https://usn.ubuntu.com/3259-1/https://nvd.nist.gov

CVE-2017-3138

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect