CVE-2017-3143
Publication date 29 June 2017
Last updated 25 August 2025
Ubuntu priority
Description
An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. Affects BIND 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| bind9 | ||
| 16.04 LTS xenial |
Fixed 1:9.10.3.dfsg.P4-8ubuntu1.7
|
|
| 14.04 LTS trusty |
Fixed 1:9.9.5.dfsg-3ubuntu0.15
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.9 · Medium
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-3346-1
- bind9 vulnerabilities
- 29 June 2017
- USN-3346-3
- Bind vulnerabilities
- 8 November 2017