                                                   JPCERT-AT-2018-0031
                                                             JPCERT/CC
                                                            2018-08-09

                  <<< JPCERT/CC Alert 2018-08-09 >>>

Alert on denial-of-service vulnerability (CVE-2018-5740) in ISC BIND 9

        https://www.jpcert.or.jp/english/at/2018/at180031.html


I. Overview
ISC BIND 9 contains a vulnerability that leads to a denial-of-service
(DoS). When this vulnerability is exploited, a remote attacker may
cause named to terminate. 
ISC has rated the severity of the vulnerability CVE-2018-5740
as "High". For more information on the vulnerability, please refer
to the information provided by ISC.

    Internet Systems Consortium, Inc. (ISC)
    CVE-2018-5740: A flaw in the "deny-answer-aliases" feature can cause an INSIST assertion failure in named
    https://kb.isc.org/article/AA-01639

If you are operating an affected version of ISC BIND 9, please consider
updating to a version that addresses this vulnerability by referring to
the information in "III. Solution".


II. Affected Systems
According to ISC, the following versions are affected by this
vulnerability.

    - BIND 9 versions from 9.9.0 to 9.9.13
    - BIND 9 versions from 9.10.0 to 9.10.8
    - BIND 9 versions from 9.11.0 to 9.11.4
    - BIND 9 versions from 9.12.0 to 9.12.2

The vulnerability only affects servers on which the
"deny-answer-aliases" feature is explicitly enabled (it is off by
default). ISC BIND 9 versions 9.7.x and 9.8.x which are no longer
supported are also affected by the vulnerability.

For more details, please refer to the following:

    BIND 9 Security Vulnerability Matrix
    https://kb.isc.org/article/AA-00913/

If you are using BIND provided by a distributor, please refer to the
information provided by that distributor.


III. Solution
ISC has released versions of ISC BIND 9 that address these vulnerability.
Distributors are likely to provide their own versions that address
the vulnerability. Consider updating to an updated version after
thorough testing.

Versions that address these vulnerabilities are as follows:

  ISC BIND
  - BIND 9 version 9.9.13-P1
  - BIND 9 version 9.10.8-P1
  - BIND 9 version 9.11.4-P1
  - BIND 9 version 9.12.2-P1
  - BIND 9 version 9.11.3-S3

Security update for ISC BIND 9 versions 9.9.x and 9.10.x may not be
released as the support for the versions terminated in June 2018. Please
update to the latest version after considering any possible impacts
to systems.


IV. References
    US-CERT
    ISC Releases Security Advisory for BIND
    https://www.us-cert.gov/ncas/current-activity/2018/08/08/ISC-Releases-Security-Advisory-BIND

    Internet Systems Consortium, Inc. (ISC)
    Software Support Policy
    https://www.isc.org/downloads/software-support-policy/#SoftwareSupportPolicyUpdate-BIND


If you have any information regarding this alert, please contact
JPCERT/CC.

======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600  FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/