Updates released for DNS software BIND address a critical vulnerability in the installer delivered with BIND for Windows, and which could have been exploited for privilege escalation, the Internet Systems Consortium (ISC) announced.
Tracked as CVE-2017-3141 and featuring a CVSS score of 7.2, the flaw exists because the BIND installer on Windows uses an unquoted service path. Because of that, a local user can escalate privileges, provided that the host file system permissions allow it, ISC reveals in an advisory.
While there are no known active exploits in the wild, the vulnerability could be exploited as a well-known attack vector, as long as the user file access permissions don’t prevent the installation of malicious executables.
Addressed in BIND 9 version 9.9.10-P1, 9.10.5-P1, and 9.11.1-P1, the vulnerability doesn’t affect BIND itself and non-Windows builds and installations aren’t impacted. Furthermore, manual installations where the service path is quoted when added shouldn’t be impacted either.
What’s more, the advisory reveals that BIND installations on Windows aren’t impacted when the host file permissions don’t allow the creation of a binary “in a location where the service executor would run it instead of named.exe.”
Another vulnerability addressed in the new BIND releases is a Medium risk flaw (CVE-2017-3140) that could render servers potentially vulnerable to degradation of service. For the issue to exist, the server would have to be configured to use Response Policy Zones (RPZ) and should use NSDNAME or NSIP policy rules. To exploit it, an attacker would have to be able to cause the server to process a specific query.
Remotely exploitable, the bug is triggered when named is configured to use RPZ and when processing some rule types generates an error that can lead to a condition where BIND will endlessly loop while handling a query.
Upon successful exploitation, named would enter a continuous loop while processing the query, repeatedly querying the same sets of authoritative nameservers. This behavior will usually persist indefinitely beyond the normal client query processing timeout and could result in substantial degradation of service if the attacker can trigger the condition multiple times.
“Only the NSDNAME and NSIP RPZ rule types can cause this condition to occur. You can work around this vulnerability if you are able to express your desired policy while avoiding NSDNAME or NSIP rules, otherwise it is advised that you upgrade to a version which corrects the defect,” ISC explains.
Related: BIND Updates Patch Three Vulnerabilities
Related: Four High Severity DoS Flaws Patched in BIND
Related: BIND Flaw Patched in 2013 Affects Linux Distros
More from Ionut Arghire
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- Apria Healthcare Notifying 2 Million People of Years-Old Data Breaches
- European Cybersecurity Firm Sekoia.io Raises $37.5 Million
- GitLab Security Update Patches Critical Vulnerability
- Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
