Information disclosure in ISC BIND



Published: 2018-06-13 | Updated: 2020-01-30
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-5738
CWE-ID CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
ISC BIND
Server applications / DNS servers

Vendor ISC

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU13326

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:W/RC:C]

CVE-ID: CVE-2018-5738

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to improper access controls. When configured with "recursion yes;" and match list values are not provided for "allow-query-cache" or "allow-query", the "allow-recursion" setting may permit all hosts to perform recursion. A remote attacker can bypass intended recursion access controls, make a recursive query to a BIND nameserver in certain cases and examine the results of queries answered from the cache to determine which queries a server has previously responded to.

Mitigation

Install updates from vendor's website.

The vendor has described the following workarounds in the advisory:

If an operator has not chosen to specify some other permission, explicitly specifying "allow-query {localnets; localhost;};" in named.conf will provide behavior equivalent to the intended default.

If the default setting is not appropriate (because the operator wants a different behavior) then depending on which clients are intended to be able to receive service for recursive queries, explicitly setting a match list value for any of:

  • allow-recursion
  • allow-query
  • allow-query-cache
will prevent the "allow-recursion" control from improperly inheriting a setting from the allow-query default.  If a value is set for any of those values the behavior of allow-recursion will be set directly or inherited from one of the other values as described in the BIND Adminstrator Reference Manual section 6.2

Servers which are not intended to perform recursion at all may also effectively prevent this condition by setting "recursion no;" in named.conf

Vulnerable software versions

ISC BIND: 9.9.12 - 9.13.0

External links

http://kb.isc.org/article/AA-01616


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###