7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.025 Low
EPSS
Percentile
90.0%
Severity: High
Date : 2019-02-25
CVE-ID : CVE-2018-5744 CVE-2018-5745 CVE-2019-6465
Package : bind
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-915
The package bind before version 9.13.7-1 is vulnerable to multiple
issues including denial of service and access restriction bypass.
Upgrade to 9.13.7-1.
The problems have been fixed upstream in version 9.13.7.
None.
A failure to free memory can occur when processing messages having a
specific combination of EDNS options has been found in bind before
9.13.7. By exploiting this condition, an attacker can potentially cause
named’s memory use to grow without bounds until all memory available to
the process is exhausted. Typically a server process is limited as to
the amount of memory it can use but if the named process is not limited
by the operating system all free memory on the server could be
exhausted.
“managed-keys” is a feature which allows a BIND resolver to
automatically maintain the keys used by trust anchors which operators
configure for use in DNSSEC validation. Before 9.13.7, due to an error
in the managed-keys feature, it is possible for a BIND server which
uses managed-keys to exit due to an assertion failure if, during key
rollover, a trust anchor’s keys are replaced with keys which use an
unsupported algorithm.
Controls for zone transfers may not be properly applied to Dynamically
Loadable Zones (DLZs) if the zones are writable in bind before 9.13.7.
A client exercising this defect can request and receive a zone transfer
of a DLZ even when not permitted to do so by the allow-transfer ACL.
A remote user can bypass the allow-transfer ACL to access sensitive
information in a DLZ, or crash the server.
https://kb.isc.org/docs/cve-2018-5744
https://kb.isc.org/docs/cve-2018-5745
https://kb.isc.org/docs/cve-2019-6465
https://security.archlinux.org/CVE-2018-5744
https://security.archlinux.org/CVE-2018-5745
https://security.archlinux.org/CVE-2019-6465
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.025 Low
EPSS
Percentile
90.0%