Attacker Value

Unknown

0

A flaw in the "deny-answer-aliases" feature can cause an assertion failure in named

0

Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

None

Privileges Required

None

Attack Vector

Network

0

A flaw in the "deny-answer-aliases" feature can cause an assertion failure in named

Disclosure Date: January 16, 2019 •

CVE-2018-5740 CVSS v3 Base Score: 7.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

“deny-answer-aliases” is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c. Affects BIND 9.7.0->9.8.8, 9.9.0->9.9.13, 9.10.0->9.10.8, 9.11.0->9.11.4, 9.12.0->9.12.2, 9.13.0->9.13.2.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

None

Availability (A):

High

Vendors

canonical,
debian,
hp,
isc,
netapp,
opensuse,
redhat

Products

bind,
data ontap edge -,
debian linux 8.0,
debian linux 9.0,
enterprise linux desktop 6.0,
enterprise linux desktop 7.0,
enterprise linux server 6.0,
enterprise linux server 7.0,
enterprise linux server aus 7.6,
enterprise linux server eus 7.5,
enterprise linux server eus 7.6,
enterprise linux workstation 6.0,
enterprise linux workstation 7.0,
hp-ux -,
leap 15.0,
leap 15.1,
leap 42.3,
ubuntu linux 12.04,
ubuntu linux 14.04,
ubuntu linux 16.04,
ubuntu linux 18.04

References

Canonical

CVE-2018-5740 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5740)

BID-105055 (http://www.securityfocus.com/bid/105055)

Advisory

[debian-lts-announce] 20180830 [SECURITY] [DLA 1485-1] bind9 security update (https://lists.debian.org/debian-lts-announce/2018/08/msg00033.html)

https://access.redhat.com/errata/RHSA-2018:2570

https://access.redhat.com/errata/RHSA-2018:2571

USN-3769-2 (https://usn.ubuntu.com/3769-2)

SECTRACK-1041436 (http://www.securitytracker.com/id/1041436)

https://security.netapp.com/advisory/ntap-20180926-0003

https://kb.isc.org/docs/aa-01639

USN-3769-1 (https://usn.ubuntu.com/3769-1)

GLSA-201903-13 (https://security.gentoo.org/glsa/201903-13)

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00027.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00026.html

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03927en_us

USN-3769-2 (https://usn.ubuntu.com/3769-2/)

https://security.netapp.com/advisory/ntap-20180926-0003/

USN-3769-1 (https://usn.ubuntu.com/3769-1/)

[debian-lts-announce] 20211102 [SECURITY] [DLA 2807-1] bind9 security update (https://lists.debian.org/debian-lts-announce/2021/11/msg00001.html)

Rapid7

Technical Analysis