ISC releases the BIND security update to address the high-risk vulnerability
According to securityaffairs media reported on January 17, the Internet System Alliance (ISC) recently released a security update for BIND to address the high-risk vulnerability may cause DNS server crashes (CVE-2017-3145), but there is no direct evidence that This vulnerability has been exploited by field attackers.
According to ISC, the CVE-2017-3145 vulnerability was caused by a use-after-free error called UAF, a memory data corruption bug:
BIND improperly sorts the cleanup operation of the upstream recursive get context, resulting in a use-after-free error in some cases, triggering the assertion failure and DNS server process crashing.
The vulnerability could affect the system running the DNSSEC Authentication Resolver, so experts suggested temporarily disabling DNSSEC authentication as a solution. However, according to the ISC, there is currently no evidence that CVE-2017-3145 has been exploited by a field attack.
This vulnerability already exists in BIND since the 9.0.0 release, but there were no known code paths to the CVE-2017-3137 patch releases previously released by ISC. Therefore, although all instances of BIND should be patched, currently only 9.9.9-P8-9.9.11, 9.10.4-P8-9.10.6, 9.11.0-P5-9.11.2, 9.9.9-S10- 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, and 9.12.0a1 ~ 9.12.0rc1 can be repaired.
In addition, the ISC also disclosed a moderately severe DHCP defect that researchers tracked as CVE-2017-3144 Vulnerabilities:
A vulnerability that could occur due to a failure to properly clean a closed OMAPI connection may result in exhaustion of the socket descriptor pool available to the DHCP server.
An attacker could exploit the CVE-2017-3144 vulnerability to allow connections to the OMAPI control port, consuming the socket descriptor pool available to the DHCP server. Once depleted, the server will not accept other connections and denies access to connections from legitimate server operators. As the server continues to receive and serve DHCP client requests, operators may be prevented from using OMAPI to control server status, adding new lease reservations, and more.
Although CVE-2017-3144 affected versions 4.1.0 through 4.1-ESV-R15, 4.2.0 through 4.2.8, and 4.3.0 through 4.3.6, ISC said it has now developed to roll out in future DHCP releases Patch that can prevent unauthorized clients from accessing the OMAPI control port.
Source: SecurityAffairs
