Bug 1613595 (CVE-2018-5740) - CVE-2018-5740 bind: processing of certain records when "deny-answer-aliases" is in use may trigger an assert leading to a denial of service
Summary: CVE-2018-5740 bind: processing of certain records when "deny-answer-aliases" ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-5740
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20180808:2130...
Depends On: 1613976 1613977 1613978 1614040 1614041 1614042
Blocks: 1613599
TreeView+ depends on / blocked
 
Reported: 2018-08-08 00:29 UTC by Sam Fowler
Modified: 2019-06-11 11:13 UTC (History)
19 users (show)

Fixed In Version: bind 9.9.13-P1, bind 9.10.8-P1, bind 9.11.4-P1, bind 9.12.2-P1, bind 9.11.3-S3
Doc Type: If docs needed, set a value
Doc Text:
A denial of service flaw was discovered in bind versions that include the "deny-answer-aliases" feature. This flaw may allow a remote attacker to trigger an INSIST assert in named leading to termination of the process and a denial of service condition.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:35:30 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2570 None None None 2018-08-27 15:32:09 UTC
Red Hat Product Errata RHSA-2018:2571 None None None 2018-08-27 15:17:33 UTC

Description Sam Fowler 2018-08-08 00:29:07 UTC
BIND through versions 9.8.8, 9.9.13, 9.10.8, 9.11.4, 9.12.2 and 9.13.2 have a flaw in the "deny-answer-aliases" feature that can cause an INSIST assertion failure in named. A remote attacker could exploit this to cause named to crash.

Only servers which have explicitly enabled the "deny-answer-aliases" feature are at risk and disabling the feature prevents exploitation.

Comment 1 Sam Fowler 2018-08-08 00:29:13 UTC
Acknowledgments:

Name: ISC
Upstream: Tony Finch (University of Cambridge)

Comment 2 Tomas Hoger 2018-08-08 07:11:36 UTC
Note that upstream notes version 9.7.0 as the first version affected by this flaw, as that's when deny-answer-aliases feature was added.

Comment 9 Scott Gayou 2018-08-08 17:43:14 UTC
Mitigation:

Disabling the "deny-answer-aliases" configuration option should prevent exploitation.

Comment 10 Scott Gayou 2018-08-08 17:54:11 UTC
Statement:

The "deny-answer-aliases" configuration option is not enabled in default configurations of bind. Upstream states that this option is very rarely used. As such, if customers have not specifically enabled this option in configurations, the risk should be mitigated.

Comment 11 Scott Gayou 2018-08-08 21:31:22 UTC
Unembargoing due to unembargo from upstream (https://lists.isc.org/pipermail/bind-announce/2018-August/001098.html)

Comment 12 Scott Gayou 2018-08-08 21:31:34 UTC
External References:

https://kb.isc.org/article/AA-01639/74/CVE-2018-5740

Comment 13 Scott Gayou 2018-08-08 21:33:17 UTC
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1614040]


Created bind99 tracking bugs for this issue:

Affects: fedora-all [bug 1614041]

Comment 16 Doran Moppert 2018-08-10 06:18:31 UTC
Red Hat Virtualization only ships client-side / library portions of bind, which do not include this flaw.

Comment 17 Doran Moppert 2018-08-10 06:24:44 UTC
Upstream patches:

https://gitlab.isc.org/isc-projects/bind9/merge_requests/607/commits

Comment 21 errata-xmlrpc 2018-08-27 15:17:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2571 https://access.redhat.com/errata/RHSA-2018:2571

Comment 22 errata-xmlrpc 2018-08-27 15:32:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2570 https://access.redhat.com/errata/RHSA-2018:2570


Note You need to log in before you can comment on or make changes to this bug.