### [CVE-2017-3138](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3138) ![](https://img.shields.io/static/v1?label=Product&message=BIND%209&color=blue) ![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue) ![](https://img.shields.io/static/v1?label=Vulnerability&message=The%20BIND%20control%20channel%20is%20not%20configured%20by%20default%2C%20but%20when%20configured%20will%20accept%20commands%20from%20those%20IP%20addresses%20that%20are%20specified%20in%20its%20access%20control%20list%20and%2For%20from%20clients%20which%20present%20the%20proper%20transaction%20key.%20%20Using%20this%20defect%2C%20an%20attacker%20can%20cause%20a%20running%20server%20to%20stop%20if%20they%20can%20get%20it%20to%20accept%20control%20channel%20input%20from%20them.%20%20In%20most%20instances%20this%20is%20not%20as%20bad%20as%20it%20sounds%2C%20because%20existing%20commands%20permitted%20over%20the%20control%20channel%20(i.e.%20%22rndc%20stop%22)%20can%20already%20be%20given%20to%20cause%20the%20server%20to%20stop.%0A%0AHowever%2C%20BIND%209.11.0%20introduced%20a%20new%20option%20to%20allow%20%22read%20only%22%20commands%20over%20the%20command%20channel.%20%20Using%20this%20restriction%2C%20a%20server%20can%20be%20configured%20to%20limit%20specified%20clients%20to%20giving%20control%20channel%20commands%20which%20return%20information%20only%20(e.g.%20%22rndc%20status%22)%20without%20affecting%20the%20operational%20state%20of%20the%20server.%20%20The%20defect%20described%20in%20this%20advisory%2C%20however%2C%20is%20not%20properly%20stopped%20by%20the%20%22read%20only%22%20restriction%2C%20in%20essence%20permitting%20a%20privilege%20escalation%20allowing%20a%20client%20which%20should%20only%20be%20permitted%20the%20limited%20set%20of%20%22read%20only%22%20operations%20to%20cause%20the%20server%20to%20stop%20execution.&color=brighgreen) ### Description named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9. ### POC #### Reference No PoCs from references. #### Github - https://github.com/ALTinners/bind9 - https://github.com/ARPSyndicate/cvemon - https://github.com/AndrewLipscomb/bind9 - https://github.com/balabit-deps/balabit-os-7-bind9 - https://github.com/balabit-deps/balabit-os-8-bind9-libs - https://github.com/balabit-deps/balabit-os-9-bind9-libs - https://github.com/pexip/os-bind9 - https://github.com/pexip/os-bind9-libs - https://github.com/psmedley/bind-os2