Bugzilla – Bug 1104129
VUL-1: CVE-2018-5740: bind: A flaw in the "deny-answer-aliases" feature can cause an INSIST assertion failure in named
Last modified: 2022-09-16 13:25:22 UTC
actually is public https://kb.isc.org/article/AA-01639/0/CVE-2018-5740%3A-A-flaw-in-the-deny-answer-aliases-feature-can-cause-an-INSIST-assertion-failure-in-named.html CVE-2018-5740: A flaw in the "deny-answer-aliases" feature can cause an INSIST assertion failure in named Author: Michael McNally Reference Number: AA-01639 Views: 2716 Created: 2018-08-08 16:00 Last Updated: 2018-08-08 20:27 0 Rating/ Voters A rarely-used feature in BIND has a flaw which can cause named to exit with an INSIST assertion failure. CVE: CVE-2018-5740 Document Version: 2.0 Posting date: 08 August 2018 Program Impacted: BIND Versions affected: 9.7.0->9.8.8, 9.9.0->9.9.13, 9.10.0->9.10.8, 9.11.0->9.11.4, 9.12.0->9.12.2, 9.13.0->9.13.2 Severity: High (but only for servers on which the "deny-answer-aliases" feature is explicitly enabled) Exploitable: Remotely Description: "deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an INSIST assertion failure in name.c. Impact: Accidental or deliberate triggering of this defect will cause an INSIST assertion failure in named, causing the named process to stop execution and resulting in denial of service to clients. Only servers which have explicitly enabled the "deny-answer-aliases" feature are at risk and disabling the feature prevents exploitation. CVSS Score: 7.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Workarounds: This vulnerability can be avoided by disabling the "deny-answer-aliases" feature if it is in use. Active exploits: No known active exploits. Solution: Most operators will not need to make any changes unless they are using the "deny-answer-aliases" feature (which is described in the BIND 9 Adminstrator Reference Manual section 6.2.) "deny-answer-aliases" is off by default; only configurations which explicitly enable it can be affected by this defect. If you are using "deny-answer-aliases", upgrade to the patched release most closely related to your current version of BIND. 9.9.13-P1 9.10.8-P1 9.11.4-P1 9.12.2-P1 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. 9.11.3-S3 Acknowledgements: ISC would like to thank Tony Finch of the University of Cambridge for reporting this issue. Document Revision History: 1.0 Advance Notification 31 July, 2018 2.0 Public Disclosure 08 August, 2018
There is no patch available for this. The only fix is to upgrade to latest release. Moreover, it is applicable only when 'deny-answer-aliases' feature is enabled which in our packages is disabled by default.
(In reply to Navin Kukreja from comment #4) can you backport the upstream fix? Setting to VUL-1 because it's disabled in the default config
I've tracked down the fix and have a patch available to this issue. Upstream commit: https://gitlab.isc.org/isc-projects/bind9/merge_requests/607/commits References: https://bugzilla.redhat.com/show_bug.cgi?id=1613595
Created attachment 803108 [details] Fix for CVE-2018-5740.
Navin, could you please submit for SLE-11-SP2?
Not needed for SLE-10-SP3 and SLE-11, because they do not contian the vulnerable feature. All others are done.
SUSE-SU-2019:1407-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1104129,1126068,1126069,1133185 CVE References: CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): bind-9.11.2-12.11.2 SUSE Linux Enterprise Module for Server Applications 15 (src): bind-9.11.2-12.11.2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): bind-9.11.2-12.11.2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): bind-9.11.2-12.11.2 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): bind-9.11.2-12.11.2 SUSE Linux Enterprise Module for Basesystem 15 (src): bind-9.11.2-12.11.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:14074-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1104129,1126068,1126069,1133185 CVE References: CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): bind-9.9.6P1-0.51.15.4 SUSE Linux Enterprise Point of Sale 11-SP3 (src): bind-9.9.6P1-0.51.15.4 SUSE Linux Enterprise Debuginfo 11-SP4 (src): bind-9.9.6P1-0.51.15.4 SUSE Linux Enterprise Debuginfo 11-SP3 (src): bind-9.9.6P1-0.51.15.4 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1449-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1104129,1126068,1126069,1133185 CVE References: CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): bind-9.9.9P1-28.42.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1532-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1104129,1126068,1126069,1133185 CVE References: CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465 Sources used: openSUSE Leap 42.3 (src): bind-9.9.9P1-56.1
openSUSE-SU-2019:1533-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1104129,1126068,1126069,1133185 CVE References: CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465 Sources used: openSUSE Leap 15.1 (src): bind-9.11.2-lp151.11.3.1 openSUSE Leap 15.0 (src): bind-9.11.2-lp150.8.13.1
SUSE-SU-2019:1406-2: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1104129,1126068,1126069,1133185 CVE References: CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465 Sources used: SUSE CaaS Platform 3.0 (src): bind-9.9.9P1-63.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
When can we expect a patch for SUSE Linux Enterprise Server 12 SP4. It's been "In progress" for quite some time. Thanks, Craig
SUSE-SU-2019:2502-1: An update that solves 5 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1104129,1118367,1118368,1126068,1126069,1128220,1133185,1138687 CVE References: CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465,CVE-2019-6471 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): bind-9.11.2-3.10.1 SUSE Linux Enterprise Server 12-SP4 (src): bind-9.11.2-3.10.1 SUSE Linux Enterprise Desktop 12-SP4 (src): bind-9.11.2-3.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.