CVE-2018-5738

Some versions of BIND can improperly permit recursive query service to unauthorized clients

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the "allow-recursion" setting, it SHOULD default to one of the following: none, if "recursion no;" is set in named.conf; a value inherited from the "allow-query-cache" or "allow-query" settings IF "recursion yes;" (the default for that setting) AND match lists are explicitly set for "allow-query-cache" or "allow-query" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of "allow-recursion {localhost; localnets;};" if "recursion yes;" is in effect and no values are explicitly set for "allow-query-cache" or "allow-query". However, because of the regression introduced by change #4777, it is possible when "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query" for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition.

El cambio #4777 (presentado en octubre de 2017) introdujo un problema no imaginado en las versiones lanzadas tras esa fecha, que afecta a los clientes que pueden realizar consultas recursivas a un servidor de nombre de BIND. El comportamiento planeado (y documentado) es que, si un operador no ha especificado un valor para la opción "allow-recursion", DEBERÍA ser por defecto uno de los siguientes: si "recursion no;" está configurado como named.conf; un valor heredado de las opciones "allow-query-cache" o "allow-query" SI "recursion yes;" (la opción por defecto) Y las listas de coincidencias está configuradas de forma explícita para "allow-query-cache" o "allow-query" (véase el manual de referencia administrativa de BIND9, sección 6.2, para más detalles); o la opción por defecto planeada de "allow-recursion {localhost; localnets;};" si "recursion yes;" está en uso y no hay valores configurados de forma explícita para "allow-query-cache" o "allow-query". Sin embargo, debido a la regresión introducida por el cambio #4777, es posible que, cuando "recursion yes;" está en uso y no se proporcionan valores de lista de coincidencias para "allow-query-cache" o "allow-query" para la configuración de "allow-recursion", se herede una configuración de todos los hosts de la opción por defecto "allow-query". Esto permite de forma incorrecta la recursión a todos los clientes. Afecta a BIND en versiones 9.9.12, 9.10.7, 9.11.3, desde la versión 9.12.0 hasta la 9.12.1-P2, la versión de desarrollo 9.13.0, además de las versiones 9.9.12-S1, 9.10.7-S1, 9.11.3-S1 y 9.11.3-S2 de BIND 9 Supported Preview Edition.

*Credits: ISC would like to thank Andrew Skalski for reporting this issue.

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-01-17 CVE Reserved
2018-06-13 CVE Published
2024-02-08 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (5)

URL	Tag	Source
http://www.securitytracker.com/id/1041115	Third Party Advisory
https://security.netapp.com/advisory/ntap-20190830-0002	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://kb.isc.org/docs/aa-01616	2019-08-30
https://security.gentoo.org/glsa/201903-13	2019-08-30
https://usn.ubuntu.com/3683-1	2019-08-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.9.12 Search vendor "Isc" for product "Bind" and version "9.9.12"		-		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.9.12 Search vendor "Isc" for product "Bind" and version "9.9.12"		s1		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.10.7 Search vendor "Isc" for product "Bind" and version "9.10.7"		-		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.10.7 Search vendor "Isc" for product "Bind" and version "9.10.7"		s1		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.11.3 Search vendor "Isc" for product "Bind" and version "9.11.3"		-		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.11.3 Search vendor "Isc" for product "Bind" and version "9.11.3"		s1		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.11.3 Search vendor "Isc" for product "Bind" and version "9.11.3"		s2		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.12.0 Search vendor "Isc" for product "Bind" and version "9.12.0"		-		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.12.0 Search vendor "Isc" for product "Bind" and version "9.12.0"		a1		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.12.0 Search vendor "Isc" for product "Bind" and version "9.12.0"		b1		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.12.0 Search vendor "Isc" for product "Bind" and version "9.12.0"		b2		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.12.0 Search vendor "Isc" for product "Bind" and version "9.12.0"		rc1		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.12.0 Search vendor "Isc" for product "Bind" and version "9.12.0"		rc3		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.12.1 Search vendor "Isc" for product "Bind" and version "9.12.1"		-		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.12.1 Search vendor "Isc" for product "Bind" and version "9.12.1"		p1		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.12.1 Search vendor "Isc" for product "Bind" and version "9.12.1"		p2		Affected
Isc Search vendor "Isc"		Bind Search vendor "Isc" for product "Bind"				9.13.0 Search vendor "Isc" for product "Bind" and version "9.13.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected