BIND DNS software includes a security feature that could be abused to cause DoS condition

The Internet Systems Consortium (ISC) announced the presence of a serious flaw in the BIND DNS software that can be exploited by remote attackers to cause a denial-of-service (DoS) condition.

The vulnerability tracked as CVE-2018-5740 was discovered by Tony Finch of the University of Cambridge. The flaw has been assigned a CVSS score of 7.5, the expert pointed out that the flaw only affects servers that have on a feature called “deny-answer-aliases” enabled. The good news is that this specific feature is disabled by default.

The “deny-answer-aliases” feature is was implemented to help recursive server operators protect users against DNS rebinding attacks. The DNS rebinding arracks allow any website to create a dns name that they are authorized to communicate with, and then make it resolve to localhost. A remote hacker to abuse the targeted user’s browser to directly connect with hosts on the local network and exploit flaws in these systems.

“deny-answer-aliases” is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers.  However, a defect in this feature makes it easy, when the feature is in use, to experience an INSIST assertion failure in name.c.” states the security advisory published by the ISC.

Accidental or deliberate triggering of this defect will cause an INSIST assertion failure in named, causing the named process to stop execution and resulting in denial of service to clients.  Only servers which have explicitly enabled the “deny-answer-aliases” feature are at risk and disabling the feature prevents exploitation.”

The vulnerability affects BIND versions 9.7.0 through 9.8.8, 9.9.0 through 9.9.13, 9.10.0 through 9.10.8, 9.11.0 through 9.11.4, 9.12.0 through 9.12.2, and 9.13.0 through 9.13.2.

The ISC has issued a security patch that is implemented in versions 9.9.13-P1, 9.10.8-P1, 9.11.4-P1 and 9.12.2-P1. The organization also provided a workaround that consists in disabling the “deny-answer-aliases” feature.

“Most operators will not need to make any changes unless they are using the “deny-answer-aliases” feature (which is described in the BIND 9 Adminstrator Reference Manual section 6.2.)  “deny-answer-aliases” is off by default; only configurations which explicitly enable it can be affected by this defect.” continues the advisory.

“If you are using “deny-answer-aliases”, upgrade to the patched release most closely related to your current version of BIND.

  • 9.9.13-P1
  • 9.10.8-P1
  • 9.11.4-P1
  • 9.12.2-P1″

At the time, there is no news about the exploitation of the flaw in attacks in the wild.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – BIND DNS software, DoS)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.