A denial of service flaw was discovered in bind versions that include the "deny-answer-aliases" feature. This flaw may allow a remote attacker to trigger an INSIST assert in named leading to termination of the process and a denial of service condition.
Find out more about CVE-2018-5740 from the MITRE CVE dictionary dictionary and NIST NVD.
The "deny-answer-aliases" configuration option is not enabled in default configurations of bind. Upstream states that this option is very rarely used. As such, if customers have not specifically enabled this option in configurations, the risk should be mitigated.
| CVSS3 Base Score | 7.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | None |
| Availability Impact | High |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 7 (bind) | RHSA-2018:2570 | 2018-08-27 |
| Red Hat Enterprise Linux 6 (bind) | RHSA-2018:2571 | 2018-08-27 |
| Platform | Package | State |
|---|---|---|
| Red Hat Virtualization 4 | bind | Not affected |
| Red Hat Enterprise Linux 5 | bind97 | Will not fix |
| Red Hat Enterprise Linux 5 | bind | Not affected |
Disabling the "deny-answer-aliases" configuration option should prevent exploitation.
Vulmon