ESB-2018.2293 - [Win][UNIX/Linux] BIND: Denial of service - Remote/unauthenticated 2018-08-09

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2293
                A vulnerability has been identified in BIND
                               9 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BIND
Publisher:         ISC
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-5740  

Original Bulletin: 
   https://kb.isc.org/article/AA-01639

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2018-5740: A flaw in the "deny-answer-aliases" feature can cause
an INSIST assertion failure in named

Author: Michael McNally Reference             
Number: AA-01639 
Created:     
2018-08-08
Last Updated:
2018-08-08 

A rarely-used feature in BIND has a flaw which can cause named to
exit with an INSIST assertion failure.

CVE:
CVE-2018-5740
Document Version:
2.0
Posting date:
08 August 2018
Program Impacted:
BIND
Versions affected:
9.7.0->9.8.8, 9.9.0->9.9.13, 9.10.0->9.10.8, 9.11.0->9.11.4, 9.12.0->
9.12.2, 9.13.0->9.13.2
Severity:
High (but only for servers on which the "deny-answer-aliases" feature
is explicitly enabled)
Exploitable:
Remotely

Description:

"deny-answer-aliases" is a little-used feature intended to help
recursive server operators protect end users against DNS rebinding
attacks, a potential method of circumventing the security model used
by client browsers.  However, a defect in this feature makes it easy,
when the feature is in use, to experience an INSIST assertion failure
in name.c.

Impact:

Accidental or deliberate triggering of this defect will cause an
INSIST assertion failure in named, causing the named process to stop
execution and resulting in denial of service to clients.  Only
servers which have explicitly enabled the "deny-answer-aliases"
feature are at risk and disabling the feature prevents exploitation.

CVSS Score:  7.5

CVSS Vector:  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit: https://
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H

Workarounds:

This vulnerability can be avoided by disabling the
"deny-answer-aliases" feature if it is in use.

Active exploits:

No known active exploits.

Solution:

Most operators will not need to make any changes unless they are
using the "deny-answer-aliases" feature (which is described in the
BIND 9 Adminstrator Reference Manual section 6.2.)
"deny-answer-aliases" is off by default; only configurations which   
explicitly enable it can be affected by this defect.
                                                                                                                                     ]  [Go]
If you are using "deny-answer-aliases", upgrade to the patched
release most closely related to your current version of BIND.
                                                                      
  o 9.9.13-P1                                                       
  o 9.10.8-P1                                                         
  o 9.11.4-P1                                                        
  o 9.12.2-P1                                                        
                                                                      
BIND Supported Preview Edition is a special feature preview branch of 
BIND provided to eligible ISC support customers.                      

  o 9.11.3-S3                                                       

Acknowledgements:

ISC would like to thank Tony Finch of the University of Cambridge for
reporting this issue.

Document Revision History:

1.0 Advance Notification 31 July, 2018
2.0 Public Disclosure 08 August, 2018

Related Documents:

See our BIND9 Security Vulnerability Matrix at https://kb.isc.org/
article/AA-00913 for a complete listing of Security Vulnerabilities
and versions affected.

If you'd like more information on ISC Subscription Support and
Advance Security Notifications, please visit http://www.isc.org/
support/.

Do you still have questions-  Questions regarding this advisory
should go to security-officer@isc.org.  To report a new issue, please
encrypt your message using security-officer@isc.org's PGP key which
can be found here: https://www.isc.org/downloads/
software-support-policy/openpgp-key/.  If you are unable to use
encrypted email, you may also report new issues at: https://
www.isc.org/community/report-bug/.

Note: ISC patches only currently supported versions. When possible we
indicate EOL versions affected.  (For current information on which
versions are actively supported, please see http://www.isc.org/
downloads/).

ISC Security Vulnerability Disclosure Policy:  Details of our current
security advisory policy and practice can be found here: https://
kb.isc.org/article/AA-00861/164/
ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html

This Knowledge Base article https://kb.isc.org/article/AA-01639 is
the complete and official security advisory document.

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an "AS
IS" basis. No warranty or guarantee of any kind is expressed in this
notice and none should be implied. ISC expressly excludes and
disclaims any warranties regarding this notice or materials referred
to in this notice, including, without limitation, any implied
warranty of merchantability, fitness for a particular purpose,
absence of hidden defects, or of non-infringement. Your use or
reliance on this notice or materials referred to in this notice is at
your own risk. ISC may change this notice at any time.  A stand-alone
copy or paraphrase of the text of this document that omits the
document URL is an uncontrolled copy. Uncontrolled copies may lack
important information, be out of date, or contain factual errors.


(C) 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not
been able to find an answer in our Knowledge Base, we recommend
searching our community mailing list archives and/or posting your
question there (you will need to register there first for your posts
to be accepted). The bind-users and the dhcp-users lists particularly
have a long-standing and active membership.

ISC relies on the financial support of the community to fund the
development of its open source software products. If you would like
to support future product evolution and maintenance as well having
peace of mind knowing that our team of experts are poised to provide
you with individual technical assistance whenever you call upon them,
then please consider our Professional Subscription Support services -
details can be found on our main website.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW2t+l2aOgq3Tt24GAQhs5hAAy67YJSIocWiKOizM3px47m0ZF64Ht06v
5CYON1HzSU4TWwnZoqcMw5nasPqjfhqiSpmWMqfEVx7VHL9q7dnRsjHaVknwOYPu
YyjvD5f9xHWJsoQLqwHA2oxvSPNSYfSQf129YGkiaEtDNFTAskRd4I/YDfoobrSV
dM+r2A0tzFvJj89oGUv9kNgyr31XZMCB5Pf+OuruQQsiNDJlpxNMqvD/X9HEK2aB
dYofWnDJ3F/bCGPtI+rnBU+ervhy9FeF9xJRCX1X8Bp8i2k5wm5PV6gVD0BOr5/+
ZYx0wkPcdmwhzssFyTKUSWRL2+HzIwdKowPa0nWklEGfsaIMWx3O/TfPK9i2saZf
JkDysSuG2UTQJbWceXxx9fz0EqVfdBoXkp2G2VRz7B8Vgsx0K3bLHf/B0/AWWuiA
TpuzY49NG8l+mDAXgQsMWOFzGSftt6ooEF+eSPq5b7hNO27TmftfKu7V1S3ORPBu
hrhjzjeELqH1JtaU7NQg3lbz18st2ZxB+7N9UBI8Hh3zoch0HN2GqKdJ4uPV+shW
h9aI7pWkn3WHvP+Zz3khPiOt676WHpvG31YHuhDOqvqOvw+AKLZnmjqtfj2i9niB
ZWK29N0lYqJOBTW1jwknWpy2dkrlr8crZRWYdJIBw/Esssnfa2+dVAm3hplk3bjw
jJHWHELKoec=
=KbEo
-----END PGP SIGNATURE-----

« Back to bulletins