CVE-2017-3138 — MEDIUM (6.5)

Vulnerability Description

named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9.

CVSS Score

6.5

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Isc	Bind	9.9.9
Netapp	Data Ontap Edge	-
Netapp	Element Software	-
Netapp	Oncommand Balance	-
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-617

References

http://www.securityfocus.com/bid/97657Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1038260Third Party AdvisoryVDB Entry
https://kb.isc.org/docs/aa-01471Vendor Advisory
https://security.gentoo.org/glsa/201708-01Third Party Advisory
https://security.netapp.com/advisory/ntap-20180802-0002/Third Party Advisory
https://www.debian.org/security/2017/dsa-3854Third Party Advisory
http://www.securityfocus.com/bid/97657Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1038260Third Party AdvisoryVDB Entry
https://kb.isc.org/docs/aa-01471Vendor Advisory
https://security.gentoo.org/glsa/201708-01Third Party Advisory
https://security.netapp.com/advisory/ntap-20180802-0002/Third Party Advisory
https://www.debian.org/security/2017/dsa-3854Third Party Advisory

FAQ

What is CVE-2017-3138?

CVE-2017-3138 is a vulnerability with a CVSS score of 6.5 (MEDIUM). named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regressio...

How severe is CVE-2017-3138?

CVE-2017-3138 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-3138?

Check the references section above for vendor advisories and patch information. Affected products include: Isc Bind, Netapp Data Ontap Edge, Netapp Element Software, Netapp Oncommand Balance, Debian Debian Linux.