A warning has been issued by the Internet Systems Consortium (ISC) about a severe vulnerability that could be leveraged in DoS attacks in the open-source BIND software. The vulnerability was discovered by security researcher Tony Finch of the University of Cambridge, and has been identified as CVE-2018-5740.
Official Description of CVE-2018-5740
“deny-answer-aliases” is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an INSIST assertion failure in name.c.
What Is the Impact of CVE-2018-5740?
Accidental or deliberate triggering of the described flaw will lead to an INSIST assertion failure in named, causing the named process to stop execution and resulting in denial of service to clients, ISC explained in an advisory. Only servers which have explicitly enabled the “deny-answer-aliases” feature are at risk. So, disabling the feature prevents exploitation, the organization added.
To counter the exploit, “most operators will not need to make any changes unless they are using the “deny-answer-aliases” feature (which is described in the BIND 9 Adminstrator Reference Manual section 6.2.) “deny-answer-aliases” is off by default; only configurations which explicitly enable it can be affected by this defect“.
More about the BIND Software
BIND is open-source software that enables individuals to publish their Domain Name System (DNS) information on the Internet, and to resolve DNS queries for their users. As for the meaning of the abbreviation, BIND stands for “Berkeley Internet Name Domain”. Historically, the software originated in the early 1980s at the University of California at Berkeley. It appears that it is the most widely adopted DNS software on the internet. This large adoption may have created a precondition for attackers to exploit several versions of the software.
More specifically, ISC reported that the following BIND versions are impacted by CVE-2018-5740:
Versions 9.7.0 — 9.8.8, 9.9.0 — 9.9.13, 9.10.0 — 9.10.8, 9.11.0 — 9.11.4, 9.12.0 — 9.12.2, and 9.13.0 — 9.13.2.
Fortunately, no active exploits of the vulnerability are known. As a workaround, this vulnerability can be avoided by disabling the “deny-answer-aliases” feature, in case it is in use.
In 2016, Trend Micro researchers unearthed another BIND vulnerability that was known as CVE-2016-2776. This vulnerability could be activated when a DNS server constructs a response to a forged query where the response size crosses the default DNS response size (512). ISC quickly fixed two vulnerable functions (dns_message_renderbegin () and dns_message_rendersection() ) to fix the vulnerability. Despite the quick reaction, the flaw was actively exploited in attacks.