Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the "allow-recursion" setting, it SHOULD default to one of the following: none, if "recursion no;" is set in named.conf; a value inherited from the "allow-query-cache" or "allow-query" settings IF "recursion yes;" (the default for that setting) AND match lists are explicitly set for "allow-query-cache" or "allow-query" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of "allow-recursion {localhost; localnets;};" if "recursion yes;" is in effect and no values are explicitly set for "allow-query-cache" or "allow-query". However, because of the regression introduced by change #4777, it is possible when "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query" for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition.

According to the versions of the bind packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - Change #4777 (introduced in October 2017) introduced an     unforeseen issue in releases which were issued after     that date, affecting which clients are permitted to     make recursive queries to a BIND nameserver. The     intended (and documented) behavior is that if an     operator has not specified a value for the     'allow-recursion' setting, it SHOULD default to one of     the following: none, if 'recursion no' is set in     named.conf a value inherited from the     'allow-query-cache' or 'allow-query' settings IF     'recursion yes' (the default for that setting) AND     match lists are explicitly set for 'allow-query-cache'     or 'allow-query' (see the BIND9 Administrative     Reference Manual section 6.2 for more details) or the     intended default of 'allow-recursion {localhost     localnets}' if 'recursion yes' is in effect and no     values are explicitly set for 'allow-query-cache' or     'allow-query'. However, because of the regression     introduced by change #4777, it is possible when     'recursion yes' is in effect and no match list values     are provided for 'allow-query-cache' or 'allow-query'     for the setting of 'allow-recursion' to inherit a     setting of all hosts from the 'allow-query' setting     default, improperly permitting recursion to all     clients. Affects BIND 9.9.12, 9.10.7, 9.11.3,     9.12.0->9.12.1-P2, the development release 9.13.0, and     also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and     9.11.3-S2 from BIND 9 Supported Preview     Edition.(CVE-2018-5738)

  - Controls for zone transfers may not be properly applied     to Dynamically Loadable Zones (DLZs) if the zones are     writable Versions affected: BIND 9.9.0 -> 9.10.8-P1,     9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions     9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview     Edition. Versions 9.13.0 -> 9.13.6 of the 9.13     development branch are also affected. Versions prior to     BIND 9.9.0 have not been evaluated for vulnerability to     CVE-2019-6465.(CVE-2019-6465)

  - 'managed-keys' is a feature which allows a BIND     resolver to automatically maintain the keys used by     trust anchors which operators configure for use in     DNSSEC validation. Due to an error in the managed-keys     feature it is possible for a BIND server which uses     managed-keys to exit due to an assertion failure if,     during key rollover, a trust anchor's keys are replaced     with keys which use an unsupported algorithm. Versions     affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1,     9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3     of BIND 9 Supported Preview Edition. Versions 9.13.0 ->     9.13.6 of the 9.13 development branch are also     affected. Versions prior to BIND 9.9.0 have not been     evaluated for vulnerability to     CVE-2018-5745.(CVE-2018-5745)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201903-13 (BIND: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in BIND. Please review the       CVE identifiers referenced below for details.
  Impact :

    BIND can improperly permit recursive query service to unauthorized       clients possibly resulting in a Denial of Service condition or to be used       in DNS reflection attacks.
  Workaround :

    There is no known workaround at this time.

According to its self-reported version, the instance of ISC BIND 9 running on the remote name server is 9.9.12, 9.10.7, 9.11.3, 9.12.0 prior to or equal to 9.12.1-P2, development release 9.13.0, 9.9.12-S1, 9.11.3-S1, or 9.11.3-S2.  It is, therefore, affected by an allow-recursion vulnerability which exists in the named.conf due to a regression issue introduced by change #4777.

An unauthenticated, remote attacker can exploit this to cause undesirable behavior such as a degradation or denial of service, DNS reflection attacks, or potentially leak private information about what queries have been performed.

- Fix CVE-2018-5738

  - Remove named.iscdlv.key

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to last security release

  - Fixes CVE-2018-5738

  - Adds root key sentinel mechanism support

  - incremental zone transfer limit to prevent journal     corruption

  - rndc reload memory leak

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to 9.11.4-P1

  - Fixes CVE-2018-5738

  - Adds root key sentinel mechanism support

  - incremental zone transfer limit to prevent journal     corruption

  - rndc reload memory leak

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to bind 9.11.4

----

  - Fix CVE-2018-5738

  - Remove named.iscdlv.key

  - Make home writeable

  - Use invalid shell /bin/false for bind

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New bind packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

Andrew Skalski discovered that Bind could incorrectly enable recursion when the 'allow-recursion' setting wasn't specified. This issue could improperly permit recursion to all clients, contrary to expectations.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
131486	EulerOS Virtualization for ARM 64 3.0.3.0 : bind (EulerOS-SA-2019-2321)	Nessus	Huawei Local Security Checks	high
122835	GLSA-201903-13 : BIND: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
122240	ISC BIND Allow-Recursion Vulnerability	Nessus	DNS	high
120758	Fedora 28 : 32:bind (2018-bfec61fb2f)	Nessus	Fedora Local Security Checks	high
120429	Fedora 28 : 32:bind (2018-5417ca3713)	Nessus	Fedora Local Security Checks	high
112068	Fedora 27 : 32:bind (2018-90f8fbd58e)	Nessus	Fedora Local Security Checks	high
111476	Fedora 27 : 32:bind / bind-dyndb-ldap / dnsperf (2018-c0f12f789e)	Nessus	Fedora Local Security Checks	high
111035	Slackware 14.0 / 14.1 / 14.2 / current : bind (SSA:2018-192-01)	Nessus	Slackware Local Security Checks	high
110532	Ubuntu 18.04 LTS : Bind vulnerability (USN-3683-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2018-5738

high

Tenable Plugins

high

high

high

high

high

high

high

high

high