The vulnerability tracked as CVE-2018-5740 was discovered by Tony Finch of the University of Cambridge. The flaw has been assigned a CVSS score of 7.5, the expert pointed out that the flaw only affects servers that have on a feature called “deny-answer-aliases” enabled. The good news is that this specific feature is disabled by default.
The “deny-answer-aliases” feature is was implemented to help recursive server operators protect users against DNS rebinding attacks. The DNS rebinding arracks allow any website to create a dns name that they are authorized to communicate with, and then make it resolve to localhost. A remote hacker to abuse the targeted user’s browser to directly connect with hosts on the local network and exploit flaws in these systems.
“deny-answer-aliases” is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an INSIST assertion failure in name.c.” states the security advisory published by the ISC.
“Accidental or deliberate triggering of this defect will cause an INSIST assertion failure in named, causing the named process to stop execution and resulting in denial of service to clients. Only servers which have explicitly enabled the “deny-answer-aliases” feature are at risk and disabling the feature prevents exploitation.”
The vulnerability affects BIND versions 9.7.0 through 9.8.8, 9.9.0 through 9.9.13, 9.10.0 through 9.10.8, 9.11.0 through 9.11.4, 9.12.0 through 9.12.2, and 9.13.0 through 9.13.2.
The ISC has issued a security patch that is implemented in versions 9.9.13-P1, 9.10.8-P1, 9.11.4-P1 and 9.12.2-P1. The organization also provided a workaround that consists in disabling the “deny-answer-aliases” feature.
“Most operators will not need to make any changes unless they are using the “deny-answer-aliases” feature (which is described in the BIND 9 Adminstrator Reference Manual section 6.2.) “deny-answer-aliases” is off by default; only configurations which explicitly enable it can be affected by this defect.” continues the advisory.
“If you are using “deny-answer-aliases”, upgrade to the patched release most closely related to your current version of BIND.
At the time, there is no news about the exploitation of the flaw in attacks in the wild.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – BIND DNS software, DoS)
[adrotate banner=”5″]
[adrotate banner=”13″]
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Cloud Services Appliance Vulnerability to its…
Ivanti warned of a new Cloud Services Appliance (CSA) vulnerability that is being exploited in…
An international law enforcement operation infiltrated the encrypted messaging app Ghost, which was widely used…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows, Apache HugeGraph-Server, Oracle JDeveloper, Oracle…
Small and medium-sized enterprises (SMEs) are a frequent target for cybercriminals. How can SIEM help…
Russian anti-virus firm Doctor Web (Dr.Web) disconnected all servers following a cyberattack over the weekend.…
This website uses cookies.