Vulnerability Details : CVE-2017-3138
named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9.
Threat overview for CVE-2017-3138
Top countries where our scanners detected CVE-2017-3138
Top open port discovered on systems with this issue
53
IPs affected by CVE-2017-3138 354
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2017-3138!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2017-3138
Probability of exploitation activity in the next 30 days: 5.72%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 93 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-3138
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:N/A:P |
6.8
|
2.9
|
NIST |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.6
|
3.6
|
NIST |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
Internet Systems Consortium (ISC) |
CWE ids for CVE-2017-3138
-
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-3138
-
https://kb.isc.org/docs/aa-01471
CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel - Security AdvisoriesVendor Advisory
-
https://security.netapp.com/advisory/ntap-20180802-0002/
April 2017 ISC BIND Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://www.securitytracker.com/id/1038260
BIND Null Command String Processing Lets Remote Users on Authorized Hosts Cause the Target Service to Crash - SecurityTrackerThird Party Advisory;VDB Entry
-
https://www.debian.org/security/2017/dsa-3854
Debian -- Security Information -- DSA-3854-1 bind9Third Party Advisory
-
https://security.gentoo.org/glsa/201708-01
BIND: Multiple vulnerabilities (GLSA 201708-01) — Gentoo securityThird Party Advisory
-
http://www.securityfocus.com/bid/97657
ISC BIND CVE-2017-3138 Remote Denial of Service VulnerabilityThird Party Advisory;VDB Entry
Products affected by CVE-2017-3138
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.10.4:p2:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.10.4:p3:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.9:p1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.9:s1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.10.4:p1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.10.4:p4:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.11.0:p1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.9:p4:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.9:p3:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.9:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.9:p2:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.9:s7:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.9:p5:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.10.4:p5:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.11.0:p2:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.10:beta1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.11.0:p3:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.10.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.10.5:b1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.10.4:p6:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.11.1:b1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.9:p6:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.11.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.11.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.11.0:p4:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.10.5:rc2:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.10.4:p7:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.9:p7:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.10:rc2:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:data_ontap_edge:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*