CVE-2017-3145 : What You Need to Know
Learn about CVE-2017-3145, a critical vulnerability in BIND DNS software that could lead to denial of service. Find out the impacted versions and steps to mitigate the issue.
CVE-2017-3145, published on January 16, 2018, addresses a sequencing issue in BIND that could lead to a use-after-free error, causing named to crash. This vulnerability affects various versions of BIND from 9.0.0 to 9.12.0rc1.
Understanding CVE-2017-3145
This CVE highlights a critical vulnerability in BIND that could result in a denial of service due to a crash in the named service.
What is CVE-2017-3145?
BIND, a widely used DNS software, improperly ordered cleanup operations, leading to a use-after-free error. This error could trigger an assertion failure, causing the named service to crash.
The Impact of CVE-2017-3145
The vulnerability has a CVSS base score of 7.5 (High severity) with a high availability impact. It could allow attackers to crash the DNS service, leading to a denial of service.
Technical Details of CVE-2017-3145
This section provides detailed technical information about the vulnerability.
Vulnerability Description
The issue arises from improper sequencing of cleanup operations on upstream recursion fetch contexts, potentially resulting in a use-after-free error and a crash in the named service.
Affected Systems and Versions
The vulnerability impacts multiple versions of BIND, including 9.0.0 to 9.12.0rc1, exposing a wide range of systems to the risk of crashing the DNS service.
Exploitation Mechanism
Attackers can exploit this vulnerability by sending specially crafted DNS queries to the affected BIND servers, triggering the use-after-free error and causing the service to crash.
Mitigation and Prevention
To address CVE-2017-3145, immediate actions and long-term security practices are essential.
Immediate Steps to Take
- Upgrade to the patched release closest to your current BIND version from the official ISC website.
- Consider temporarily disabling DNSSEC validation if experiencing crashes until the patched version is installed.
Long-Term Security Practices
- Regularly update BIND to the latest versions to mitigate known vulnerabilities.
- Implement network segmentation and access controls to limit the impact of potential attacks.
Patching and Updates
Ensure timely patching by downloading the following patched releases:
- BIND 9 version 9.9.11-P1
- BIND 9 version 9.10.6-P1
- BIND 9 version 9.11.2-P1
- BIND 9 version 9.12.0rc2