BIND through versions 9.8.8, 9.9.13, 9.10.8, 9.11.4, 9.12.2 and 9.13.2 have a flaw in the "deny-answer-aliases" feature that can cause an INSIST assertion failure in named. A remote attacker could exploit this to cause named to crash. Only servers which have explicitly enabled the "deny-answer-aliases" feature are at risk and disabling the feature prevents exploitation.
Acknowledgments: Name: ISC Upstream: Tony Finch (University of Cambridge)
Note that upstream notes version 9.7.0 as the first version affected by this flaw, as that's when deny-answer-aliases feature was added.
Mitigation: Disabling the "deny-answer-aliases" configuration option should prevent exploitation.
Statement: The "deny-answer-aliases" configuration option is not enabled in default configurations of bind. Upstream states that this option is very rarely used. As such, if customers have not specifically enabled this option in configurations, the risk should be mitigated.
Unembargoing due to unembargo from upstream (https://lists.isc.org/pipermail/bind-announce/2018-August/001098.html)
External References: https://kb.isc.org/article/AA-01639/74/CVE-2018-5740
Created bind tracking bugs for this issue: Affects: fedora-all [bug 1614040] Created bind99 tracking bugs for this issue: Affects: fedora-all [bug 1614041]
Red Hat Virtualization only ships client-side / library portions of bind, which do not include this flaw.
Upstream patches: https://gitlab.isc.org/isc-projects/bind9/merge_requests/607/commits
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:2571 https://access.redhat.com/errata/RHSA-2018:2571
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2570 https://access.redhat.com/errata/RHSA-2018:2570