Assertion failure in ISC BIND

#VU14291 Assertion failure in ISC BIND

Cybersecurity Help s.r.o.

Published: 2018-08-09 | Updated: 2018-08-09

Vulnerability identifier: #VU14291

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-5740

CWE-ID: CWE-617

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ISC BIND
Server applications / DNS servers

Vendor: ISC

Description

The vulnerability allows an attacker to perform denial of service (DoS) attack.

The vulnerability exists due to INSIST assertion failure in name.c when processing recursive queries. A remote attacker can trigger denial of service conditions if the affected server is configured with enabled "deny-answer-aliases" feature.

Mitigation

Update to version 9.9.13-P1, 9.10.8-P1, 9.11.3-S3, 9.11.4-P1 or 9.12.2-P1

Vulnerable software versions

ISC BIND: 9.7.0 - 9.13.2

External links
http://kb.isc.org/article/AA-01639/74/CVE-2018-5740%3A-A-flaw-in-the-deny-answer-aliases-feature-ca...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for bind

Gentoo update for BIND

Amazon Linux AMI update for bind

Red Hat update for ISC BIND

Slackware Linux update for bind

Assertion failure in bind (Alpine package)

Denial of service in ISC BIND