5.3

CVE-2017-3142

An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: providing an AXFR of a zone to an unauthorized recipient or accepting bogus NOTIFY packets. Affects BIND 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2.

Data is provided by the National Vulnerability Database (NVD)
IscBind Version >= 9.4.0 <= 9.8.8
IscBind Version >= 9.9.0 <= 9.9.10
IscBind Version >= 9.10.0 <= 9.10.5
IscBind Version >= 9.11.0 <= 9.11.1
IscBind Version9.9.0 Updatep1
IscBind Version9.9.3 Updates1
IscBind Version9.9.10 Updates2
IscBind Version9.10.5 Updatep1
IscBind Version9.10.5 Updates1
IscBind Version9.10.5 Updates2
IscBind Version9.11.1 Updatep1
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 5.23% 0.896
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 3.7 2.2 1.4
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
security-officer@isc.org 5.3 3.9 1.4
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.securityfocus.com/bid/99339
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1038809
Third Party Advisory
VDB Entry