CVE-2017-3135 : What You Need to Know

This CVE involves a vulnerability in BIND 9 that can lead to a crash when both DNS64 and RPZ are used simultaneously. The issue affects various versions of BIND, potentially causing query processing inconsistencies and system failures.

Understanding CVE-2017-3135

This section provides insights into the nature and impact of the vulnerability.

What is CVE-2017-3135?

When DNS64 and RPZ are combined, query processing inconsistencies may occur, leading to INSIST assertion failures or NULL pointer read attempts. This vulnerability affects multiple versions of BIND.

The Impact of CVE-2017-3135

The vulnerability poses a high severity risk with a CVSS base score of 7.5. It can result in process termination due to segmentation faults, affecting servers configured with both DNS64 and RPZ.

Technical Details of CVE-2017-3135

Explore the technical aspects of the vulnerability.

Vulnerability Description

The issue arises when using DNS64 and RPZ simultaneously, causing query processing inconsistencies and potential system crashes.

Affected Systems and Versions

BIND 9 versions 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1

Exploitation Mechanism

Servers configured with both DNS64 and RPZ are susceptible to encountering query processing inconsistencies, potentially leading to system crashes.

Mitigation and Prevention

Learn how to address and prevent the CVE-2017-3135 vulnerability.

Immediate Steps to Take

Upgrade to the patched release closest to your current BIND version

Long-Term Security Practices

Consider removing either DNS64 or RPZ from the configuration
Carefully restrict the contents of the policy zone

Patching and Updates

Upgrade to the following patched releases: BIND 9 version 9.9.9-P6, 9.10.4-P6, 9.11.0-P3
Utilize BIND Supported Preview Edition for eligible ISC support customers