Today ISC announced two significant BIND vulnerabilities (via our bind-announce list -- https://lists.isc.org/mailman/listinfo/bind-announce)
They are CVE-2017-3142 and CVE-2017-3143 and both are related to errors in our TSIG support. These are unusual CVEs for BIND -- many of the vulnerabilities we disclose are denial-of-service vectors which affect server availability but can easily be partly or completely mitigated by running BIND with a watchdog process. Atypically, these new vulnerabilities have, respectively, a confidentiality impact (for CVE-2017-3142, which potentially permits unauthorized zone transfer) and a data integrity impact (CVE-2017-3143, which under some circumstances can permit an attacker to cause the server to accept a forged DDNS update.) New versions of BIND have been released and are available from ISC's web site: http://www.isc.org/downloads Details on the vulnerabilities are available via the ISC Knowledge Base: https://kb.isc.org/category/74/0/10/Software-Products/BIND9/Security-Advisories/ Please take these bugs seriously and act promptly to safeguard your servers if you rely on TSIG authentication for zone transfers or DDNS. Michael McNally ISC Support _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
