CVE-2017-3135 in BIND
Summary
by MITRE
Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/14/2022
The vulnerability described in CVE-2017-3135 represents a critical state management flaw within the Berkeley Internet Name Domain software version 9.x series. This issue specifically manifests when DNS64 and Response Policy Zones are simultaneously configured within the same DNS server deployment, creating a complex interaction that can lead to unpredictable system behavior. The flaw occurs during the query processing lifecycle when the server attempts to handle responses that have been modified through these dual mechanisms, resulting in an inconsistent internal state that can cause system instability.
The technical root cause of this vulnerability lies in the improper handling of DNS query state management when processing responses that have undergone both DNS64 address synthesis and RPZ rule application. DNS64 is designed to enable IPv6-only clients to communicate with IPv4 services by synthesizing IPv4 addresses, while RPZ allows administrators to implement custom response policies for specific domains. When these two features operate concurrently, the internal data structures that track query processing state become corrupted, leading to either an assertion failure where the system detects an internal inconsistency or a more severe NULL pointer dereference that can cause the DNS server to crash or behave unpredictably.
The operational impact of this vulnerability extends beyond simple service disruption, as it can be exploited to cause denial of service attacks against DNS infrastructure. Attackers could potentially craft malicious DNS queries that, when processed through the affected BIND versions, would trigger the inconsistent state conditions and cause the server to either crash or enter a corrupted state where it fails to respond to legitimate queries. This vulnerability affects a broad range of BIND 9.x versions, making it particularly concerning for organizations maintaining legacy DNS infrastructure. The specific version ranges indicate that this issue was present in multiple stable releases and development branches, suggesting it was a persistent flaw in the codebase that was not properly addressed until later patches were released.
From a cybersecurity perspective, this vulnerability aligns with CWE-691, which addresses Insufficient Control Flow Management, and represents a classic example of how complex software interactions can create unexpected security implications. The flaw demonstrates the importance of proper state management in network services, particularly when multiple processing layers are applied to the same data flow. Organizations implementing DNS infrastructure should consider this vulnerability in the context of ATT&CK technique T1499, which covers network denial of service attacks, as the vulnerability could be weaponized to create sustained service disruption. The patching timeline for this vulnerability shows that it required multiple releases to address properly, indicating the complexity of the underlying issue and the need for careful testing when implementing fixes to DNS infrastructure components. Organizations should prioritize updating their BIND installations to versions that contain the appropriate patches, as the vulnerability can potentially be exploited to cause cascading failures in DNS resolution services that could impact broader network operations.