An attacker may be able to forge a valid TSIG or SIG(0) signature for a
dynamic update.

CVE:                 CVE-2017-3143
Document Version:    2.0
Posting date:        29 June 2017
Program Impacted:    BIND
Versions affected:   9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1,
                     9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2,
9.10.5-S1-9.10.5-S2
Severity:            High
Exploitable:         Remotely

Description:

   An attacker who is able to send and receive messages to an
   authoritative DNS server and who has knowledge of a valid TSIG
   key name for the zone and service being targeted may be able to
   manipulate BIND into accepting an unauthorized dynamic update.

Impact:

   A server that relies solely on TSIG or SIG(0) keys with no other
   address-based ACL protection could be vulnerable to malicious
   zone content manipulation using this technique.

CVSS Score:          7.5
CVSS Vector:         CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Workarounds:

   The effects of this vulnerability can be mitigated by using
   Access Control Lists (ACLs) that require both address range
   validation and use of TSIG authentication in parallel.  For
   information on how to configure this type of compound authentication
   control, please see:


https://kb.isc.org/article/AA-00723/0/Using-Access-Control-Lists-ACLs-with-both-addresses-and-keys.html.

   Administrators who have made use of named.conf option "update-policy
   local;" should refer to the Administrator Reference Manual (ARM)
   for details of the automatic update policy that will be established
   and to assess whether or not this conveys any additional risk
   to their server.  (Note that this option is not enabled by default).

Active exploits:

   No known active exploits but a similar issue was announced
   publicly on 23 July 2017 by another DNS server software provider.

Solution:

   Upgrade to the patched release most closely related to your
   current version of BIND. These can all be downloaded from
   http://www.isc.org/downloads.

   -  BIND 9 version 9.9.10-P2
   -  BIND 9 version 9.10.5-P2
   -  BIND 9 version 9.11.1-P2

   BIND Supported Preview Edition is a special feature preview
   branch of BIND provided to eligible ISC support customers.

   -  BIND 9 version 9.9.10-S3
   -  BIND 9 version 9.10.5-S3

Acknowledgements:

   ISC would like to thank Clment Berthaux from Synacktiv for
   reporting this issue.

Document Revision History:

   1.0 Advance Notification 26 June 2017
   1.1 CVSS score corrected (was previously erroneously listed as 7.8)
27 June 2017
   2.0 Public disclosure 29 June 2017