CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone transfers

by CIRT Team

Description: An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet.  A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into:

• providing an AXFR of a zone to an unauthorized recipient
• accepting bogus NOTIFY packets

Impact:  An unauthorized AXFR (full zone transfer) permits an attacker to view the entire contents of a zone.  Protection of zone contents is often a commercial or business requirement.

If accepted, a NOTIFY sets the zone refresh interval to ‘now’.  If there is not already a refresh cycle in progress then named will initiate one by asking for the SOA RR from its list of masters.  If there is already a refresh cycle in progress, then named will queue the new refresh request.  If there is already a queued refresh request, the new NOTIFY will be discarded. Bogus notifications can’t be used to force a zone transfer from a malicious server, but could trigger a high rate of zone refresh cycles.

Mitigation:  Security update is available in official site.

Reference URL’s:

• https://kb.isc.org/article/AA-01503/74/CVE-2017-3143
• https://access.redhat.com/security/cve/CVE-2017-3143

CIRT Team

Recommended Posts

Active Exploitation of Critical F5 BIG – IP Vulnerability (CVE–2023-46747) Uncovered in Bangladesh

06 Nov 2024 - Security Advisories & Alerts

Emerging Threat_Stealer Malware (Lumma C2) Campaign with fake CAPTCHA pages

08 Oct 2024 - Security Advisories & Alerts

Detection of Fog Ransomware Footprint in Cyber Space of Bangladesh

12 Sep 2024 - Security Advisories & Alerts