Knowledge Base ISC Main Website Ask a Question/Contact ISC
Quick Jump Menu
1 BIND 9 Security Vulnerability Matrix Featured

The BIND 9 Security Vulnerability Matrix is a tool to help DNS operators understand the current security risk for a given version of BIND. It has two parts: The first part is a table listing all of the vulnerabilities covered by this page. The first column…

2 CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone transfers

An attacker may be able to circumvent TSIG authentication of AXFR and NOTIFY requests. CVE: CVE-2017-3142 Document Version: 2.0 Posting date: 29 June 2017 Program Impacted: BIND Versions affected: 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1,…

3 CVE-2017-3143: An error in TSIG authentication can permit unauthorized dynamic updates

An attacker may be able to forge a valid TSIG or signature for a dynamic update. CVE: CVE-2017-3143 Document Version: 2.0 Posting date: 29 June 2017 Program Impacted: BIND Versions affected: 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1,…

4 CVE-2017-3141: Windows service and uninstall paths are not quoted when BIND is installed

CVE: CVE-2017-3141 Document Version: 2.0 Posting date: 14 Jun 2017 Program Impacted: BIND Versions affected: 9.2.6-P2->9.2.9, 9.3.2-P1->9.3.6, 9.4.0->9.8.8, 9.9.0->9.9.10, 9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, 9.10.5-S1…

5 CVE-2017-3140: An error processing RPZ rules can cause named to loop endlessly after handling a query

CVE: CVE-2017-3140 Document Version: 2.0 Posting date: 14 June 2017 Program Impacted: BIND Versions affected: 9.9.10, 9.10.5, 9.11.0->9.11.1, 9.9.10-S1, 9.10.5-S1 Severity: Medium Exploitable: Remotely Description: If named is configured to use Response…

6 CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel

CVE: CVE-2017-3138 Document Version: 2.0 Posting date: 12 April 2017 Program Impacted: BIND Versions affected: 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9…

7 CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME

CVE: CVE-2017-3137 Document Version: 2.0 Posting date: 12 April 2017 Program Impacted: BIND Versions affected: 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0-P3, 9.11.1b1->9.11.1rc1, and 9.9.9-S8 Severity: High Exploitable:…

8 CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;"

CVE: CVE-2017-3136 Document Version: 2.0 Posting date: 12 April 2017 Program Impacted: BIND Versions affected: 9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1,…

9 CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash

Some configurations using both DNS64 and RPZ can lead to an INSIST assertion failure or a NULL pointer read; in either case named will terminate. CVE: CVE-2017-3135 Document Version: 2.1 Posting date: 08 Feb 2017 Program Impacted: BIND Versions affected:…

10 CVE-2016-9778: An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c

CVE: CVE-2016-9778 Document Version: 2.0 Posting date: 11 Jan 2017 Program Impacted: BIND Versions affected: 9.9.8-S1 -> 9.9.8-S3, 9.9.9-S1 -> 9.9.9-S6, 9.11.0-9.11.0 -> P1 Severity: High (for affected configurations) Exploitable: Remotely Description:…