CLD-514 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-5740 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) bind-server
Deficiency Type SECURITY
Date Created 2018-08-09 09:45:08
Date Last Modified 2018-08-09 15:43:52

Version Specific Information:

Cucumber 1.0 i686 vulnerable; will not fix
Cucumber 1.0 x86_64 vulnerable; will not fix

Cucumber 1.1 i686 fixed in bind-server-9.11.4_P1-i686-1
Cucumber 1.1 x86_64 fixed in bind-server-9.11.4_P1-x86_64-1 and bind-server-lib_i686-9.11.4_P1-lib_i686-1

Details:

================================ Initial Report ================================

From https://kb.isc.org/article/AA-01639 (abridged form is posted here; see
original link for full report):

A rarely-used feature in BIND has a flaw which can cause named to exit with an
INSIST assertion failure.

CVE: CVE-2018-5740
Document Version: 2.0
Posting date: 08 August 2018
Program Impacted: BIND
Versions affected: 9.7.0->9.8.8, 9.9.0->9.9.13, 9.10.0->9.10.8, 9.11.0->9.11.4,
9.12.0->9.12.2, 9.13.0->9.13.2
Severity: High (but only for servers on which the "deny-answer-aliases" feature
is explicitly enabled)
Exploitable: Remotely

Description:

"deny-answer-aliases" is a little-used feature intended to help recursive
server operators protect end users against DNS rebinding attacks, a potential
method of circumventing the security model used by client browsers.  However, a
defect in this feature makes it easy, when the feature is in use, to experience
an INSIST assertion failure in name.c. 

Impact:

Accidental or deliberate triggering of this defect will cause an INSIST
assertion failure in named, causing the named process to stop execution and
resulting in denial of service to clients.  Only servers which have explicitly
enabled the "deny-answer-aliases" feature are at risk and disabling the feature
prevents exploitation.

CVSS Score:  7.5

CVSS Vector:  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System and to obtain
your specific environmental score please visit:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Workarounds:

This vulnerability can be avoided by disabling the "deny-answer-aliases"
feature if it is in use.

Active exploits:

No known active exploits.

Solution:

Most operators will not need to make any changes unless they are using the
"deny-answer-aliases" feature (which is described in the BIND 9 Adminstrator
Reference Manual section 6.2.)  "deny-answer-aliases" is off by default; only
configurations which explicitly enable it can be affected by this defect.

If you are using "deny-answer-aliases", upgrade to the patched release most
closely related to your current version of BIND.

    9.9.13-P1
    9.10.8-P1
    9.11.4-P1
    9.12.2-P1

BIND Supported Preview Edition is a special feature preview branch of BIND
provided to eligible ISC support customers.

    9.11.3-S3

================================= Our Analysis =================================

----- Affected Products -----
Versions of bind-server (specifically the named binary) 9.11.x prior to
9.11.4-P1 are vulnerable. This includes bind-server as originally packaged in
Cucumber Linux 1.1.

----- Scope and Impact of this Vulnerability -----
Allows for a remote denial of service (crashed of named).

----- Fix for this Vulnerability -----
This vulnerability can be fixed by upgrading bind-server to version 9.11.4-P1
or later.

================================= Our Solution =================================

Cucumber Linux 1.1:
We have upgraded bind-server to 9.11.4-P1

Cucumber Linux 1.0:
Bind-server is a testing package on Cucumber Linux 1.0, and as such we it comes
with absolutely no security guarantee (See
https://mirror.cucumberlinux.com/cucumber/cucumber-1.0/source/testing/README)
and is not officially supported. That being the case, we will not be issuing a
fix for Cucumber Linux 1.0.