Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0308 BIND versions 9.11.5-P1, 9.12.3-P1 and 9.13.5 contain security fixes 13 December 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIND Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-5740 CVE-2018-5738 CVE-2018-5737 CVE-2018-5736 Member content until: Saturday, January 12 2019 OVERVIEW A number of vulnerabilities have been identified in BIND prior to versions 9.11.5-P1, 9.12.3-P1 and 9.13.5. [1] IMPACT The project has provided the following details regarding these vulnerabilities: " * named could crash during recursive processing of DNAME records when deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740. [GL #387] * When recursion is enabled but the allow-recursion and allow-query-cache ACLs are not specified, they should be limited to local networks, but they were inadvertently set to match the default allow-query, thus allowing remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] * The serve-stale feature could cause an assertion failure in rbtdb.c even when stale-answer-enable was false. The simultaneous use of stale cache records and NSEC aggressive negative caching could trigger a recursion loop in the named process. This flaw is disclosed in CVE-2018-5737. [GL #185] * A bug in zone database reference counting could lead to a crash when multiple versions of a slave zone were transferred from a master in close succession. This flaw is disclosed in CVE-2018-5736. [GL #134] * Code change #4964, intended to prevent double signatures when deleting an inactive zone DNSKEY in some situations, introduced a new problem during zone processing in which some delegation glue RRsets are incorrectly identified as needing RRSIGs, which are then created for them using the current active ZSK for the zone. In some, but not all cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3 chain, but incompletely -- this can result in a broken chain, affecting validation of proof of nonexistence for records in the zone. [GL #771]" [1][2][3] MITIGATION The project advises updating to BIND version 9.11.5-P1, 9.12.3-P1, or 9.13.5 as appropriate. [1][2][3] REFERENCES [1] Release notes for BIND Version 9.11.5-P1 https://ftp.isc.org/isc/bind9/9.11.5-P1/RELEASE-NOTES-bind-9.11.5-P1.html [2] Release notes for BIND Version 9.12.3-P1 https://ftp.isc.org/isc/bind9/9.12.3-P1/RELEASE-NOTES-bind-9.12.3-P1.txt [3] Release notes for BIND Version 9.13.5 https://ftp.isc.org/isc/bind9/9.13.5/RELEASE-NOTES-bind-9.13.5.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXBH+lGaOgq3Tt24GAQghqxAAiTHO0hqge0ypgjK7Vt3nx9JmQg3o35JL bk40iq14LPblAwNk5leusmaZHcCIJ36+zwXaUIOokqhUExltDhzRZgliLvPLQbf7 IOj0gRHTWUpIFKnxWp2PYF1+DMqpRFjBHs9Kiuh1kuMn3KeXaWUJQmTzPE/B2IyQ zTeaUgCQRxyTSHiOPHWt9sshyrMyUIT+lHZLQcXZASlzN6KoYPU9smnVONvHDjKv 0jjmgt1ZqUDgQntxaYxB/2MkgK0VYNSvpNG/Ml5cXzOUf98rFnljeyvZC18VxYwu W7x+AClN1CWfxunTsSxAjYAu70CuhmRnoMa6Q/e4zEbSJ4SUc8SJQaaTLIcS9Gj9 /09dVPLf6Hqj3oVud5hNuhHibz7juBUCW+BpdFdocM8hqDiT4VWYvK4whwt8tK43 y+wHt6RSdiwri5+NoWVdNT2pBqbhiU1yyTPGIlh1viySnugSOgcw0yPYHDNi6ePg FW8s2ymLh3p4i7Bq0RM6KRhkRjMH09Ow1AOWNT7gUVtljS/kd+oTCxHM0WDwnCu4 dc0fmbRR/+o/u52LSxN2krSD5hET+3EUAK2XxfhdG3uzjqGD8EVMRgFDrQ0IFw4v 4PHp+os7m8V1bc0ZRm+c43imwG7ZPZm2dFAqEpEHTRNV+WvnagB9paYwzLWE8/V4 CuZbRnpZR6Y= =MWwm -----END PGP SIGNATURE-----