Allocation of Resources Without Limits or Throttling in bind (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-5743 |
| CWE-ID | CWE-770 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
bind (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU32025
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5743
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, 9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -> 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.
MitigationInstall update from vendor's website.
Vulnerable software versionsbind (Alpine package): 9.11.5_p4-r0 - 9.11.6-r1
CPE2.3- cpe:2.3:o:alpine:bind_alpine_package:9.11.5_p4-r0:*:*:*:*:alpine_linux:*:
- cpe:2.3:o:alpine:bind_alpine_package:9.11.6-r1:*:*:*:*:alpine_linux:*:
http://git.alpinelinux.org/aports/commit/?id=5f63a5fe529bbf21d6df33b174df042d09bc53c3
http://git.alpinelinux.org/aports/commit/?id=06bfe718fd41663cb0f35a441af82a32ca3ec15b
http://git.alpinelinux.org/aports/commit/?id=9308e5b9ccb34e36206ae4390d0c6b06c46e06d2
http://git.alpinelinux.org/aports/commit/?id=935add8c0f7f6c11b2382695b3369beb40d3618c
http://git.alpinelinux.org/aports/commit/?id=aae4252e693b8d9f14125c4ec15b1bd746895f39
http://git.alpinelinux.org/aports/commit/?id=4a3cd5e69c83561fa3b30cf07f92104a81cdbac6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
