Denial of service in ISC BIND

Published: 2018-08-09 15:20:27
Severity Medium
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-5740
CVSSv3 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CWE ID CWE-617
Exploitation vector Network
Public exploit Not available
Vulnerable software ISC BIND
Vulnerable software versions ISC BIND 9.13.2
ISC BIND 9.13.1
ISC BIND 9.13.0
Show more
Vendor URL ISC

Security Advisory

1) Assertion failure

Description

The vulnerability allows an attacker to perform denial of service (DoS) attack.

The vulnerability exists due to INSIST assertion failure in name.c when processing recursive queries. A remote attacker can trigger denial of service conditions if the affected server is configured with enabled "deny-answer-aliases" feature.

Remediation

Update to version 9.9.13-P1, 9.10.8-P1, 9.11.3-S3, 9.11.4-P1 or 9.12.2-P1

External links

https://kb.isc.org/article/AA-01639/74/CVE-2018-5740%3A-A-flaw-in-the-deny-answer-aliases-feature-ca...

Back to List