ASB-2018.0308 - [Win][UNIX/Linux] BIND: Multiple vulnerabilities 2018-12-13

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0308
   BIND versions 9.11.5-P1, 9.12.3-P1 and 9.13.5 contain security fixes
                             13 December 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              BIND
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Denial of Service   -- Remote/Unauthenticated
                      Unauthorised Access -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-5740 CVE-2018-5738 CVE-2018-5737
                      CVE-2018-5736  
Member content until: Saturday, January 12 2019

OVERVIEW

        A number of vulnerabilities have been identified in BIND prior to
        versions 9.11.5-P1, 9.12.3-P1 and 9.13.5. [1]


IMPACT

        The project has provided the following details regarding these
        vulnerabilities:
        
        "     * named could crash during recursive processing of DNAME records when
               deny-answer-aliases was in use. This flaw is disclosed in
               CVE-2018-5740. [GL #387]
             * When recursion is enabled but the allow-recursion and
               allow-query-cache ACLs are not specified, they should be limited to
               local networks, but they were inadvertently set to match the
               default allow-query, thus allowing remote queries. This flaw is
               disclosed in CVE-2018-5738. [GL #309]
             * The serve-stale feature could cause an assertion failure in rbtdb.c
               even when stale-answer-enable was false. The simultaneous use of
               stale cache records and NSEC aggressive negative caching could
               trigger a recursion loop in the named process. This flaw is
               disclosed in CVE-2018-5737. [GL #185]
             * A bug in zone database reference counting could lead to a crash
               when multiple versions of a slave zone were transferred from a
               master in close succession. This flaw is disclosed in
               CVE-2018-5736. [GL #134]
             * Code change #4964, intended to prevent double signatures when
               deleting an inactive zone DNSKEY in some situations, introduced a
               new problem during zone processing in which some delegation glue
               RRsets are incorrectly identified as needing RRSIGs, which are then
               created for them using the current active ZSK for the zone. In
               some, but not all cases, the newly-signed RRsets are added to the
               zone's NSEC/NSEC3 chain, but incompletely -- this can result in a
               broken chain, affecting validation of proof of nonexistence for
               records in the zone. [GL #771]" [1][2][3]


MITIGATION

        The project advises updating to BIND version 9.11.5-P1, 9.12.3-P1,
        or 9.13.5 as appropriate. [1][2][3]


REFERENCES

        [1] Release notes for BIND Version 9.11.5-P1
            https://ftp.isc.org/isc/bind9/9.11.5-P1/RELEASE-NOTES-bind-9.11.5-P1.html

        [2] Release notes for BIND Version 9.12.3-P1
            https://ftp.isc.org/isc/bind9/9.12.3-P1/RELEASE-NOTES-bind-9.12.3-P1.txt

        [3] Release notes for BIND Version 9.13.5
            https://ftp.isc.org/isc/bind9/9.13.5/RELEASE-NOTES-bind-9.13.5.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXBH+lGaOgq3Tt24GAQghqxAAiTHO0hqge0ypgjK7Vt3nx9JmQg3o35JL
bk40iq14LPblAwNk5leusmaZHcCIJ36+zwXaUIOokqhUExltDhzRZgliLvPLQbf7
IOj0gRHTWUpIFKnxWp2PYF1+DMqpRFjBHs9Kiuh1kuMn3KeXaWUJQmTzPE/B2IyQ
zTeaUgCQRxyTSHiOPHWt9sshyrMyUIT+lHZLQcXZASlzN6KoYPU9smnVONvHDjKv
0jjmgt1ZqUDgQntxaYxB/2MkgK0VYNSvpNG/Ml5cXzOUf98rFnljeyvZC18VxYwu
W7x+AClN1CWfxunTsSxAjYAu70CuhmRnoMa6Q/e4zEbSJ4SUc8SJQaaTLIcS9Gj9
/09dVPLf6Hqj3oVud5hNuhHibz7juBUCW+BpdFdocM8hqDiT4VWYvK4whwt8tK43
y+wHt6RSdiwri5+NoWVdNT2pBqbhiU1yyTPGIlh1viySnugSOgcw0yPYHDNi6ePg
FW8s2ymLh3p4i7Bq0RM6KRhkRjMH09Ow1AOWNT7gUVtljS/kd+oTCxHM0WDwnCu4
dc0fmbRR/+o/u52LSxN2krSD5hET+3EUAK2XxfhdG3uzjqGD8EVMRgFDrQ0IFw4v
4PHp+os7m8V1bc0ZRm+c43imwG7ZPZm2dFAqEpEHTRNV+WvnagB9paYwzLWE8/V4
CuZbRnpZR6Y=
=MWwm
-----END PGP SIGNATURE-----

« Back to bulletins