Synology-SA-17:24 BIND
Publish Time: UTC+8
Last Updated: UTC+8
- Severity
- Important
- Status
- Resolved
Abstract
CVE-2017-3142 allows remote attacker to circumvent TSIG authentication and view the entire contents of a zone on the vulnerable DNS Server.
CVE-2017-3143 allows remote attacker to forge a valid signature for a dynamic update and manipulate malicious zone content on the vulnerable DNS Server.
Severity
Important
CVSSv3 Base Score: 7.5
Affected
Products
- DNS Server 2.2.x before 2.2.1-3050, 1.2.x before 1.2.0-0131 and 1.x before 1.1-0301
Models
- All Synology models
Description
CVE-2017-3142
An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into:- providing an AXFR of a zone to an unauthorized recipient
- accepting bogus NOTIFY packets
CVE-2017-3143
An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update.
Mitigation
You can follow the steps as below to prevent suffering attack if using TISG authentication in Slave Zone.
Creating a new slave zone
- In Zones tab, press Create button and choose slave zone on the menu.
- Tick Limit source ip service box and press Source IP List button.
- Press Create button on the top of region.
- Choose Single IP host or Subnet.
- If you chose Single IP host, enter a legal IP address in IP address field.
For example, enter192.168.1.100
if you allow another DNS server192.168.1.100
to transfer zone to your DNS server - If you chose Subnet, enter a legal subnet in IP address field and netmask in Subnet mask.
For example, enter192.168.1.0
in IP address field and255.255.255.0
in Subnet mask if you allow all DNS servers which in IP range in192.168.1.0
~192.168.1.255
to transfer zone to your DNS server - Repeat step 5 ~ 6 to add legal IP sources.
- Press OK to save the option, then press finish to close whitelist settings.
- Press OK to save a new slave zone.
Edit an existing slave zone
- In Zones tab, press Edit button and choose Zone settings on the menu.
- Follow the step 2 ~ 9 in Creating a new slave zone section.
Update Availability
To fix the security issue, please go to DSM > Package Center and update DNS Server to 2.2.1-3051 or above.
References