Updates released for DNS software BIND address a critical vulnerability in the installer delivered with BIND for Windows, and which could have been exploited for privilege escalation, the Internet Systems Consortium (ISC) announced.
Tracked as CVE-2017-3141 and featuring a CVSS score of 7.2, the flaw exists because the BIND installer on Windows uses an unquoted service path. Because of that, a local user can escalate privileges, provided that the host file system permissions allow it, ISC reveals in an advisory.
While there are no known active exploits in the wild, the vulnerability could be exploited as a well-known attack vector, as long as the user file access permissions don’t prevent the installation of malicious executables.
Addressed in BIND 9 version 9.9.10-P1, 9.10.5-P1, and 9.11.1-P1, the vulnerability doesn’t affect BIND itself and non-Windows builds and installations aren’t impacted. Furthermore, manual installations where the service path is quoted when added shouldn’t be impacted either.
What’s more, the advisory reveals that BIND installations on Windows aren’t impacted when the host file permissions don’t allow the creation of a binary “in a location where the service executor would run it instead of named.exe.”
Another vulnerability addressed in the new BIND releases is a Medium risk flaw (CVE-2017-3140) that could render servers potentially vulnerable to degradation of service. For the issue to exist, the server would have to be configured to use Response Policy Zones (RPZ) and should use NSDNAME or NSIP policy rules. To exploit it, an attacker would have to be able to cause the server to process a specific query.
Remotely exploitable, the bug is triggered when named is configured to use RPZ and when processing some rule types generates an error that can lead to a condition where BIND will endlessly loop while handling a query.
Upon successful exploitation, named would enter a continuous loop while processing the query, repeatedly querying the same sets of authoritative nameservers. This behavior will usually persist indefinitely beyond the normal client query processing timeout and could result in substantial degradation of service if the attacker can trigger the condition multiple times.
“Only the NSDNAME and NSIP RPZ rule types can cause this condition to occur. You can work around this vulnerability if you are able to express your desired policy while avoiding NSDNAME or NSIP rules, otherwise it is advised that you upgrade to a version which corrects the defect,” ISC explains.
Related: BIND Updates Patch Three Vulnerabilities