Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Critical Flaw Patched in BIND Installer for Windows

Updates released for DNS software BIND address a critical vulnerability in the installer delivered with BIND for Windows, and which could have been exploited for privilege escalation, the Internet Systems Consortium (ISC) announced.

Updates released for DNS software BIND address a critical vulnerability in the installer delivered with BIND for Windows, and which could have been exploited for privilege escalation, the Internet Systems Consortium (ISC) announced.

Tracked as CVE-2017-3141 and featuring a CVSS score of 7.2, the flaw exists because the BIND installer on Windows uses an unquoted service path. Because of that, a local user can escalate privileges, provided that the host file system permissions allow it, ISC reveals in an advisory.

While there are no known active exploits in the wild, the vulnerability could be exploited as a well-known attack vector, as long as the user file access permissions don’t prevent the installation of malicious executables.

Addressed in BIND 9 version 9.9.10-P1, 9.10.5-P1, and 9.11.1-P1, the vulnerability doesn’t affect BIND itself and non-Windows builds and installations aren’t impacted. Furthermore, manual installations where the service path is quoted when added shouldn’t be impacted either.

What’s more, the advisory reveals that BIND installations on Windows aren’t impacted when the host file permissions don’t allow the creation of a binary “in a location where the service executor would run it instead of named.exe.”

Another vulnerability addressed in the new BIND releases is a Medium risk flaw (CVE-2017-3140) that could render servers potentially vulnerable to degradation of service. For the issue to exist, the server would have to be configured to use Response Policy Zones (RPZ) and should use NSDNAME or NSIP policy rules. To exploit it, an attacker would have to be able to cause the server to process a specific query.

Remotely exploitable, the bug is triggered when named is configured to use RPZ and when processing some rule types generates an error that can lead to a condition where BIND will endlessly loop while handling a query.

Advertisement. Scroll to continue reading.

Upon successful exploitation, named would enter a continuous loop while processing the query, repeatedly querying the same sets of authoritative nameservers. This behavior will usually persist indefinitely beyond the normal client query processing timeout and could result in substantial degradation of service if the attacker can trigger the condition multiple times.

“Only the NSDNAME and NSIP RPZ rule types can cause this condition to occur.  You can work around this vulnerability if you are able to express your desired policy while avoiding NSDNAME or NSIP rules, otherwise it is advised that you upgrade to a version which corrects the defect,” ISC explains.

Related: BIND Updates Patch Three Vulnerabilities

Related: Four High Severity DoS Flaws Patched in BIND

Related: BIND Flaw Patched in 2013 Affects Linux Distros

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.