ESB-2018.2293 - [Win][UNIX/Linux] BIND: Denial of service - Remote/unauthenticated 2018-08-09

Printable version
PGP/GPG verifiable version

Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                A vulnerability has been identified in BIND
                               9 August 2018


        AusCERT Security Bulletin Summary

Product:           BIND
Publisher:         ISC
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-5740  

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2018-5740: A flaw in the "deny-answer-aliases" feature can cause
an INSIST assertion failure in named

Author: Michael McNally Reference             
Number: AA-01639 
Last Updated:

A rarely-used feature in BIND has a flaw which can cause named to
exit with an INSIST assertion failure.

Document Version:
Posting date:
08 August 2018
Program Impacted:
Versions affected:
9.7.0->9.8.8, 9.9.0->9.9.13, 9.10.0->9.10.8, 9.11.0->9.11.4, 9.12.0->
9.12.2, 9.13.0->9.13.2
High (but only for servers on which the "deny-answer-aliases" feature
is explicitly enabled)


"deny-answer-aliases" is a little-used feature intended to help
recursive server operators protect end users against DNS rebinding
attacks, a potential method of circumventing the security model used
by client browsers.  However, a defect in this feature makes it easy,
when the feature is in use, to experience an INSIST assertion failure
in name.c.


Accidental or deliberate triggering of this defect will cause an
INSIST assertion failure in named, causing the named process to stop
execution and resulting in denial of service to clients.  Only
servers which have explicitly enabled the "deny-answer-aliases"
feature are at risk and disabling the feature prevents exploitation.

CVSS Score:  7.5

CVSS Vector:  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit: https://


This vulnerability can be avoided by disabling the
"deny-answer-aliases" feature if it is in use.

Active exploits:

No known active exploits.


Most operators will not need to make any changes unless they are
using the "deny-answer-aliases" feature (which is described in the
BIND 9 Adminstrator Reference Manual section 6.2.)
"deny-answer-aliases" is off by default; only configurations which   
explicitly enable it can be affected by this defect.
                                                                                                                                     ]  [Go]
If you are using "deny-answer-aliases", upgrade to the patched
release most closely related to your current version of BIND.
  o 9.9.13-P1                                                       
  o 9.10.8-P1                                                         
  o 9.11.4-P1                                                        
  o 9.12.2-P1                                                        
BIND Supported Preview Edition is a special feature preview branch of 
BIND provided to eligible ISC support customers.                      

  o 9.11.3-S3                                                       


ISC would like to thank Tony Finch of the University of Cambridge for
reporting this issue.

Document Revision History:

1.0 Advance Notification 31 July, 2018
2.0 Public Disclosure 08 August, 2018

Related Documents:

See our BIND9 Security Vulnerability Matrix at
article/AA-00913 for a complete listing of Security Vulnerabilities
and versions affected.

If you'd like more information on ISC Subscription Support and
Advance Security Notifications, please visit

Do you still have questions-  Questions regarding this advisory
should go to  To report a new issue, please
encrypt your message using's PGP key which
can be found here:
software-support-policy/openpgp-key/.  If you are unable to use
encrypted email, you may also report new issues at: https://

Note: ISC patches only currently supported versions. When possible we
indicate EOL versions affected.  (For current information on which
versions are actively supported, please see

ISC Security Vulnerability Disclosure Policy:  Details of our current
security advisory policy and practice can be found here: https://

This Knowledge Base article is
the complete and official security advisory document.

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an "AS
IS" basis. No warranty or guarantee of any kind is expressed in this
notice and none should be implied. ISC expressly excludes and
disclaims any warranties regarding this notice or materials referred
to in this notice, including, without limitation, any implied
warranty of merchantability, fitness for a particular purpose,
absence of hidden defects, or of non-infringement. Your use or
reliance on this notice or materials referred to in this notice is at
your own risk. ISC may change this notice at any time.  A stand-alone
copy or paraphrase of the text of this document that omits the
document URL is an uncontrolled copy. Uncontrolled copies may lack
important information, be out of date, or contain factual errors.

(C) 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not
been able to find an answer in our Knowledge Base, we recommend
searching our community mailing list archives and/or posting your
question there (you will need to register there first for your posts
to be accepted). The bind-users and the dhcp-users lists particularly
have a long-standing and active membership.

ISC relies on the financial support of the community to fund the
development of its open source software products. If you would like
to support future product evolution and maintenance as well having
peace of mind knowing that our team of experts are poised to provide
you with individual technical assistance whenever you call upon them,
then please consider our Professional Subscription Support services -
details can be found on our main website.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.


« Back to bulletins