CVE-2018-5740 BIND Vulnerability Could Cause DoS Attacks
NEWS

CVE-2018-5740 BIND Vulnerability Could Cause DoS Attacks

A warning has been issued by the Internet Systems Consortium (ISC) about a severe vulnerability that could be leveraged in DoS attacks in the open-source BIND software. The vulnerability was discovered by security researcher Tony Finch of the University of Cambridge, and has been identified as CVE-2018-5740.




Official Description of CVE-2018-5740

“deny-answer-aliases” is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an INSIST assertion failure in name.c.

What Is the Impact of CVE-2018-5740?

Accidental or deliberate triggering of the described flaw will lead to an INSIST assertion failure in named, causing the named process to stop execution and resulting in denial of service to clients, ISC explained in an advisory. Only servers which have explicitly enabled the “deny-answer-aliases” feature are at risk. So, disabling the feature prevents exploitation, the organization added.

To counter the exploit, “most operators will not need to make any changes unless they are using the “deny-answer-aliases” feature (which is described in the BIND 9 Adminstrator Reference Manual section 6.2.) “deny-answer-aliases” is off by default; only configurations which explicitly enable it can be affected by this defect“.

More about the BIND Software

BIND is open-source software that enables individuals to publish their Domain Name System (DNS) information on the Internet, and to resolve DNS queries for their users. As for the meaning of the abbreviation, BIND stands for “Berkeley Internet Name Domain”. Historically, the software originated in the early 1980s at the University of California at Berkeley. It appears that it is the most widely adopted DNS software on the internet. This large adoption may have created a precondition for attackers to exploit several versions of the software.

More specifically, ISC reported that the following BIND versions are impacted by CVE-2018-5740:

Versions 9.7.0 — 9.8.8, 9.9.0 — 9.9.13, 9.10.0 — 9.10.8, 9.11.0 — 9.11.4, 9.12.0 — 9.12.2, and 9.13.0 — 9.13.2.

Fortunately, no active exploits of the vulnerability are known. As a workaround, this vulnerability can be avoided by disabling the “deny-answer-aliases” feature, in case it is in use.

Related Story: BIND Vulnerability CVE-2016-2776 Could Cause DoS Attacks

In 2016, Trend Micro researchers unearthed another BIND vulnerability that was known as CVE-2016-2776. This vulnerability could be activated when a DNS server constructs a response to a forged query where the response size crosses the default DNS response size (512). ISC quickly fixed two vulnerable functions (dns_message_renderbegin () and dns_message_rendersection() ) to fix the vulnerability. Despite the quick reaction, the flaw was actively exploited in attacks.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...