Arch Linux Security Advisory ASA-201805-20

Severity: Medium
Date : 2018-05-20
CVE-ID : CVE-2018-5736 CVE-2018-5737
Package : bind
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-706

Summary

The package bind before version 9.12.1.P2-1 is vulnerable to denial of
service.

Resolution

Upgrade to 9.12.1.P2-1.

pacman -Syu “bind>=9.12.1.P2-1”

The problems have been fixed upstream in version 9.12.1.P2.

Workaround

• CVE-2018-5736

For servers which must receive notifies to keep slave zone contents
current, no complete workarounds are known although restricting BIND to
only accept NOTIFY messages from authorised sources can greatly
mitigate the risk of attack.

• CVE-2018-5737

Setting “max-stale-ttl 0;” in named.conf will prevent exploitation of
this vulnerability (but will effectively disable the serve-stale
feature.)

Description

• CVE-2018-5736 (denial of service)

An error in zone database reference counting can lead to an assertion
failure if a server which is running an affected version of BIND
attempts several transfers of a slave zone in quick succession.

• CVE-2018-5737 (denial of service)

A problem with the implementation of the new serve-stale feature in
BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-
answer-enable is off.

Impact

A remote attacker is able to cause a denial of service via crafted
queries.

References

http://marc.info/[email protected]
https://kb.isc.org/article/AA-01602/74/CVE-2018-5736
https://kb.isc.org/article/AA-01606/74/CVE-2018-5737
https://security.archlinux.org/CVE-2018-5736
https://security.archlinux.org/CVE-2018-5737