JPCERT-AT-2018-0031
JPCERT/CC
2018-08-09
ISC has rated the severity of the vulnerability CVE-2018-5740 as "High". For more information on the vulnerability, please refer to the information provided by ISC.
Internet Systems Consortium, Inc. (ISC)
CVE-2018-5740: A flaw in the "deny-answer-aliases" feature can cause an INSIST assertion failure in named
https://kb.isc.org/article/AA-01639
If you are operating an affected version of ISC BIND 9, please consider updating to a version that addresses this vulnerability by referring to the information in "III. Solution".
- BIND 9 versions from 9.9.0 to 9.9.13
- BIND 9 versions from 9.10.0 to 9.10.8
- BIND 9 versions from 9.11.0 to 9.11.4
- BIND 9 versions from 9.12.0 to 9.12.2
The vulnerability only affects servers on which the"deny-answer-aliases" feature is explicitly enabled (it is off by default). ISC BIND 9 versions 9.7.x and 9.8.x which are no longer supported are also affected by the vulnerability.
For more details, please refer to the following:
BIND 9 Security Vulnerability Matrix
https://kb.isc.org/article/AA-00913/
If you are using BIND provided by a distributor, please refer to the information provided by that distributor.
Versions that address these vulnerabilities are as follows:
ISC BIND
- BIND 9 version 9.9.13-P1
- BIND 9 version 9.10.8-P1
- BIND 9 version 9.11.4-P1
- BIND 9 version 9.12.2-P1
- BIND 9 version 9.11.3-S3
Security update for ISC BIND 9 versions 9.9.x and 9.10.x may not be released as the support for the versions terminated in June 2018. Please update to the latest version after considering any possible impacts to systems.
US-CERT
ISC Releases Security Advisory for BIND
https://www.us-cert.gov/ncas/current-activity/2018/08/08/ISC-Releases-Security-Advisory-BIND
Internet Systems Consortium, Inc. (ISC)
Software Support Policy
https://www.isc.org/downloads/software-support-policy/#SoftwareSupportPolicyUpdate-BIND
If you have any information regarding this alert, please contact JPCERT/CC.
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
JPCERT/CC
2018-08-09
I. Overview
ISC BIND 9 contains a vulnerability that leads to a denial-of-service(DoS). When this vulnerability is exploited, a remote attacker may cause named to terminate.ISC has rated the severity of the vulnerability CVE-2018-5740 as "High". For more information on the vulnerability, please refer to the information provided by ISC.
Internet Systems Consortium, Inc. (ISC)
CVE-2018-5740: A flaw in the "deny-answer-aliases" feature can cause an INSIST assertion failure in named
https://kb.isc.org/article/AA-01639
If you are operating an affected version of ISC BIND 9, please consider updating to a version that addresses this vulnerability by referring to the information in "III. Solution".
II. Affected Systems
According to ISC, the following versions are affected by this vulnerability.- BIND 9 versions from 9.9.0 to 9.9.13
- BIND 9 versions from 9.10.0 to 9.10.8
- BIND 9 versions from 9.11.0 to 9.11.4
- BIND 9 versions from 9.12.0 to 9.12.2
The vulnerability only affects servers on which the"deny-answer-aliases" feature is explicitly enabled (it is off by default). ISC BIND 9 versions 9.7.x and 9.8.x which are no longer supported are also affected by the vulnerability.
For more details, please refer to the following:
BIND 9 Security Vulnerability Matrix
https://kb.isc.org/article/AA-00913/
If you are using BIND provided by a distributor, please refer to the information provided by that distributor.
III. Solution
ISC has released versions of ISC BIND 9 that address these vulnerability.Distributors are likely to provide their own versions that address the vulnerability. Consider updating to an updated version after thorough testing.Versions that address these vulnerabilities are as follows:
ISC BIND
- BIND 9 version 9.9.13-P1
- BIND 9 version 9.10.8-P1
- BIND 9 version 9.11.4-P1
- BIND 9 version 9.12.2-P1
- BIND 9 version 9.11.3-S3
Security update for ISC BIND 9 versions 9.9.x and 9.10.x may not be released as the support for the versions terminated in June 2018. Please update to the latest version after considering any possible impacts to systems.
IV. References
US-CERT
ISC Releases Security Advisory for BIND
https://www.us-cert.gov/ncas/current-activity/2018/08/08/ISC-Releases-Security-Advisory-BIND
Internet Systems Consortium, Inc. (ISC)
Software Support Policy
https://www.isc.org/downloads/software-support-policy/#SoftwareSupportPolicyUpdate-BIND
If you have any information regarding this alert, please contact JPCERT/CC.
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/