[manjaro-security] [arch-security] [ASA-201707-3] bind: access restriction bypass

Remi Gacogne rgacogne at archlinux.org
Tue Jul 4 12:02:07 CEST 2017 

Arch Linux Security Advisory ASA-201707-3
=========================================

Severity: High
Date    : 2017-07-04
CVE-ID  : CVE-2017-3142 CVE-2017-3143
Package : bind
Type    : access restriction bypass
Remote  : Yes
Link    : https://security.archlinux.org/AVG-335

Summary
=======

The package bind before version 9.11.1.P2-1 is vulnerable to access
restriction bypass.

Resolution
==========

Upgrade to 9.11.1.P2-1.

# pacman -Syu "bind>=9.11.1.P2-1"

The problems have been fixed upstream in version 9.11.1.P2.

Workaround
==========

None.

Description
===========

- CVE-2017-3142 (access restriction bypass)

An error in TSIG authentication has been found in Bind <= 9.11.1-P1,
allowing a remote attacker to bypass authentication in order to perform
unauthorized zone transfers or forge NOTIFY packets. The attacker needs
to have knowledge of the key name, and should be allowed by the other
ACL restrictions if any.

- CVE-2017-3143 (access restriction bypass)

An error in TSIG authentication has been found in Bind <= 9.11.1-P1,
allowing a remote attacker to bypass authentication in order to perform
unauthorized zone updates, altering the content of the zone. The
attacker needs to have knowledge of the key name, and should be allowed
by the other ACL restrictions if any.

Impact
======

A remote attacker can bypass authentication in order to retrieve or
update the content of a zone.

References
==========

https://kb.isc.org/article/AA-01504/74/CVE-2017-3142%3A-An-error-in-TSIG-authentication-can-permit-unauthorized-zone-transfers.html
https://kb.isc.org/article/AA-01503/74/CVE-2017-3143%3A-An-error-in-TSIG-authentication-can-permit-unauthorized-dynamic-updates.html
https://security.archlinux.org/CVE-2017-3142
https://security.archlinux.org/CVE-2017-3143

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20170704/152b4b7b/attachment.sig>

More information about the manjaro-security mailing list