BIND9 CVE-2017-3140 & CVE-2017-3141

[ISC Security Officer <security-officer () isc org>]

Today ISC announced CVE-2017-3140, CVE-2017-3141, and an operational
notification regarding LMDB in BIND 9.11


CVE-2017-3140 is a denial-of-service vulnerability affecting 9.9.10,
9.10.5, 9.11.0->9.11.1, 9.9.10-S1, and 9.10.5-S1 when configured with
Response Policy Zones (RPZ) utilizing NSIP or NSDNAME rules.

We are aware that some subscribers to this list maintain BIND packages
which have diverged from the official ISC code branches.  While we
cannot always offer specific guidance, in the case of CVE-2017-3140
maintainers who have selectively backported BIND changes are advised to
check whether they have included change #4377, as that change has been
determined to be a cause of CVE-2017-3140.


CVE-2017-3141 is a Windows privilege escalation vector affecting
9.2.6-P2+, 9.3.2-P1+, 9.4.x, 9.5.x, 9.6.x, 9.7.x, 9.8.x, 9.9.0->9.9.10,
9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, and 9.10.5-S1.  The
BIND Windows installer failed to properly quote the service paths,
possibly allowing a local user to achieve privilege escalation, if
allowed by file system permissions.


BIND 9.11.0 and 9.11.1 carries a number of integration problems with
LMDB (liblmdb) that will be addressed in BIND 9.11.2, planned for
release in July/August 2017.


Our full CVE text can be found at:

  https://kb.isc.org/article/AA-01495/74/CVE-2017-3140
  https://kb.isc.org/article/AA-01496/74/CVE-2017-3141

The full operational notification can be found at:

  https://kb.isc.org/article/AA-01497/169/LMDB-integration-problems.html

New releases of BIND, including security fixes for these
vulnerabilities, are available at: http://www.isc.org/downloads/

Release notes can be obtained using the following links:

  ftp://ftp.isc.org/isc/bind9/9.9.10-P1/
  ftp://ftp.isc.org/isc/bind9/9.10.5-P1/
  ftp://ftp.isc.org/isc/bind9/9.11.1-P1/

Brian Conry
Security Officer

Attachment: signature.asc
Description: OpenPGP digital signature