Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the "allow-recursion" setting, it SHOULD default to one of the following: none, if "recursion no;" is set in named.conf; a value inherited from the "allow-query-cache" or "allow-query" settings IF "recursion yes;" (the default for that setting) AND match lists are explicitly set for "allow-query-cache" or "allow-query" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of "allow-recursion {localhost; localnets;};" if "recursion yes;" is in effect and no values are explicitly set for "allow-query-cache" or "allow-query". However, because of the regression introduced by change #4777, it is possible when "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query" for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition.

The remote NewStart CGSL host, running version MAIN 6.02, has bind packages installed that are affected by multiple vulnerabilities:

  - ISC BIND 9 through 9.5.0a5 uses a weak random number generator during generation of DNS query ids when     answering resolver questions or sending NOTIFY messages to slave name servers, which makes it easier for     remote attackers to guess the next query id and perform DNS cache poisoning. (CVE-2007-2926)

  - Red Hat Enterprise Linux 5 and Fedora install the Bind /etc/rndc.key file with world-readable permissions,     which allows local users to perform unauthorized named commands, such as causing a denial of service by     stopping named. (CVE-2007-6283)

  - Off-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in     FreeBSD 6.2 through 7.0-PRERELEASE, allows context-dependent attackers to cause a denial of service     (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption.
    (CVE-2008-0122)

  - The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2)     Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations     allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to     conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction     IDs and source ports, aka DNS Insufficient Socket Entropy Vulnerability or the Kaminsky bug.
    (CVE-2008-1447)

  - BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL     DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a     malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. (CVE-2009-0025)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the bind packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - Change #4777 (introduced in October 2017) introduced an     unforeseen issue in releases which were issued after     that date, affecting which clients are permitted to     make recursive queries to a BIND nameserver. The     intended (and documented) behavior is that if an     operator has not specified a value for the     'allow-recursion' setting, it SHOULD default to one of     the following: none, if 'recursion no' is set in     named.conf a value inherited from the     'allow-query-cache' or 'allow-query' settings IF     'recursion yes' (the default for that setting) AND     match lists are explicitly set for 'allow-query-cache'     or 'allow-query' (see the BIND9 Administrative     Reference Manual section 6.2 for more details) or the     intended default of 'allow-recursion {localhost     localnets}' if 'recursion yes' is in effect and no     values are explicitly set for 'allow-query-cache' or     'allow-query'. However, because of the regression     introduced by change #4777, it is possible when     'recursion yes' is in effect and no match list values     are provided for 'allow-query-cache' or 'allow-query'     for the setting of 'allow-recursion' to inherit a     setting of all hosts from the 'allow-query' setting     default, improperly permitting recursion to all     clients. Affects BIND 9.9.12, 9.10.7, 9.11.3,     9.12.0->9.12.1-P2, the development release 9.13.0, and     also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and     9.11.3-S2 from BIND 9 Supported Preview     Edition.(CVE-2018-5738)

  - Controls for zone transfers may not be properly applied     to Dynamically Loadable Zones (DLZs) if the zones are     writable Versions affected: BIND 9.9.0 -> 9.10.8-P1,     9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions     9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview     Edition. Versions 9.13.0 -> 9.13.6 of the 9.13     development branch are also affected. Versions prior to     BIND 9.9.0 have not been evaluated for vulnerability to     CVE-2019-6465.(CVE-2019-6465)

  - 'managed-keys' is a feature which allows a BIND     resolver to automatically maintain the keys used by     trust anchors which operators configure for use in     DNSSEC validation. Due to an error in the managed-keys     feature it is possible for a BIND server which uses     managed-keys to exit due to an assertion failure if,     during key rollover, a trust anchor's keys are replaced     with keys which use an unsupported algorithm. Versions     affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1,     9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3     of BIND 9 Supported Preview Edition. Versions 9.13.0 ->     9.13.6 of the 9.13 development branch are also     affected. Versions prior to BIND 9.9.0 have not been     evaluated for vulnerability to     CVE-2018-5745.(CVE-2018-5745)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201903-13 (BIND: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in BIND. Please review the       CVE identifiers referenced below for details.
  Impact :

    BIND can improperly permit recursive query service to unauthorized       clients possibly resulting in a Denial of Service condition or to be used       in DNS reflection attacks.
  Workaround :

    There is no known workaround at this time.

According to its self-reported version, the instance of ISC BIND 9 running on the remote name server is 9.9.12, 9.10.7, 9.11.3, 9.12.0 prior to or equal to 9.12.1-P2, development release 9.13.0, 9.9.12-S1, 9.11.3-S1, or 9.11.3-S2.  It is, therefore, affected by an allow-recursion vulnerability which exists in the named.conf due to a regression issue introduced by change #4777.

An unauthenticated, remote attacker can exploit this to cause undesirable behavior such as a degradation or denial of service, DNS reflection attacks, or potentially leak private information about what queries have been performed.

- Fix CVE-2018-5738

  - Remove named.iscdlv.key

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to last security release

  - Fixes CVE-2018-5738

  - Adds root key sentinel mechanism support

  - incremental zone transfer limit to prevent journal     corruption

  - rndc reload memory leak

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to 9.11.4-P1

  - Fixes CVE-2018-5738

  - Adds root key sentinel mechanism support

  - incremental zone transfer limit to prevent journal     corruption

  - rndc reload memory leak

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to bind 9.11.4

----

  - Fix CVE-2018-5738

  - Remove named.iscdlv.key

  - Make home writeable

  - Use invalid shell /bin/false for bind

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New bind packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

The remote Ubuntu 18.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-3683-1 advisory.

    Andrew Skalski discovered that Bind could incorrectly enable recursion when the allow-recursion setting     wasn't specified. This issue could improperly permit recursion to all clients, contrary to expectations.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
206846	NewStart CGSL MAIN 6.02 : bind Multiple Vulnerabilities (NS-SA-2024-0060)	Nessus	NewStart CGSL Local Security Checks	low
131486	EulerOS Virtualization for ARM 64 3.0.3.0 : bind (EulerOS-SA-2019-2321)	Nessus	Huawei Local Security Checks	high
122835	GLSA-201903-13 : BIND: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
122240	ISC BIND Allow-Recursion Vulnerability	Nessus	DNS	high
120758	Fedora 28 : 32:bind (2018-bfec61fb2f)	Nessus	Fedora Local Security Checks	high
120429	Fedora 28 : 32:bind (2018-5417ca3713)	Nessus	Fedora Local Security Checks	high
112068	Fedora 27 : 32:bind (2018-90f8fbd58e)	Nessus	Fedora Local Security Checks	high
111476	Fedora 27 : 32:bind / bind-dyndb-ldap / dnsperf (2018-c0f12f789e)	Nessus	Fedora Local Security Checks	high
111035	Slackware 14.0 / 14.1 / 14.2 / current : bind (SSA:2018-192-01)	Nessus	Slackware Local Security Checks	high
110532	Ubuntu 18.04 LTS : Bind vulnerability (USN-3683-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2018-5738

high

Tenable Plugins

low

high

high

high

high

high

high

high

high

high