105379

1041674

RHSA-2019:2057

https://kb.isc.org/docs/cve-2018-5741

GLSA-201903-13

https://security.netapp.com/advisory/ntap-20190830-0001/

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03927en_us

According to the versions of the bind packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1,     and 9.11.x through 9.11.0b1 allows primary DNS servers     to cause a denial of service (secondary DNS server     crash) via a large AXFR response, and possibly allows     IXFR servers to cause a denial of service (IXFR client     crash) via a large IXFR response and allows remote     authenticated users to cause a denial of service     (primary DNS server crash) via a large UPDATE     message.(CVE-2016-6170)

  - It was found that the controls for zone transfer were     not properly applied to Dynamically Loadable Zones     (DLZs). An attacker acting as a DNS client could use     this flaw to request and receive a zone transfer of a     DLZ even when not permitted to do so by the     'allow-transfer' ACL.(CVE-2019-6465)

  - To provide fine-grained controls over the ability to     use Dynamic DNS (DDNS) to update records in a zone,     BIND 9 provides a feature called update-policy. Various     rules can be configured to limit the types of updates     that can be performed by a client, depending on the key     used when sending the update request. Unfortunately,     some rule types were not initially documented, and when     documentation for them was added to the Administrator     Reference Manual (ARM) in change #3112, the language     that was added to the ARM at that time incorrectly     described the behavior of two rule types,     krb5-subdomain and ms-subdomain. This incorrect     documentation could mislead operators into believing     that policies they had configured were more restrictive     than they actually were. This affects BIND versions     prior to BIND 9.11.5 and BIND 9.12.3.(CVE-2018-5741)

  - An assertion failure was found in the way bind     implemented the 'managed keys' feature. An attacker     could use this flaw to cause the named daemon to crash.
    This flaw is very difficult for an attacker to trigger     because it requires an operator to have BIND configured     to use a trust anchor managed by the     attacker.(CVE-2018-5745)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the bind packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - It was found that bind does not implement reasonable     restrictions for zone sizes. This allows an explicitly     configured primary DNS server for a zone to crash a     secondary DNS server, affecting service of other zones     hosted on the same secondary server.(CVE-2016-6170)

  - Controls for zone transfers may not be properly applied     to Dynamically Loadable Zones (DLZs) if the zones are     writable Versions affected: BIND 9.9.0 -> 9.10.8-P1,     9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions     9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview     Edition. Versions 9.13.0 -> 9.13.6 of the 9.13     development branch are also affected. Versions prior to     BIND 9.9.0 have not been evaluated for vulnerability to     CVE-2019-6465.(CVE-2019-6465)

  - To provide fine-grained controls over the ability to     use Dynamic DNS (DDNS) to update records in a zone,     BIND 9 provides a feature called update-policy. Various     rules can be configured to limit the types of updates     that can be performed by a client, depending on the key     used when sending the update request. Unfortunately,     some rule types were not initially documented, and when     documentation for them was added to the Administrator     Reference Manual (ARM) in change #3112, the language     that was added to the ARM at that time incorrectly     described the behavior of two rule types,     krb5-subdomain and ms-subdomain. This incorrect     documentation could mislead operators into believing     that policies they had configured were more restrictive     than they actually were. This affects BIND versions     prior to BIND 9.11.5 and BIND 9.12.3.(CVE-2018-5741)

  - 'managed-keys' is a feature which allows a BIND     resolver to automatically maintain the keys used by     trust anchors which operators configure for use in     DNSSEC validation. Due to an error in the managed-keys     feature it is possible for a BIND server which uses     managed-keys to exit due to an assertion failure if,     during key rollover, a trust anchor's keys are replaced     with keys which use an unsupported algorithm. Versions     affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1,     9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3     of BIND 9 Supported Preview Edition. Versions 9.13.0 ->     9.13.6 of the 9.13 development branch are also     affected. Versions prior to BIND 9.9.0 have not been     evaluated for vulnerability to     CVE-2018-5745.(CVE-2018-5745)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has bind packages installed that are affected by a vulnerability:

  - To provide fine-grained controls over the ability to use     Dynamic DNS (DDNS) to update records in a zone, BIND 9     provides a feature called update-policy. Various rules     can be configured to limit the types of updates that can     be performed by a client, depending on the key used when     sending the update request. Unfortunately, some rule     types were not initially documented, and when     documentation for them was added to the Administrator     Reference Manual (ARM) in change #3112, the language     that was added to the ARM at that time incorrectly     described the behavior of two rule types, krb5-subdomain     and ms-subdomain. This incorrect documentation could     mislead operators into believing that policies they had     configured were more restrictive than they actually     were. This affects BIND versions prior to BIND 9.11.5     and BIND 9.12.3. (CVE-2018-5741)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the bind packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - 'managed-keys' is a feature which allows a BIND     resolver to automatically maintain the keys used by     trust anchors which operators configure for use in     DNSSEC validation. Due to an error in the managed-keys     feature it is possible for a BIND server which uses     managed-keys to exit due to an assertion failure if,     during key rollover, a trust anchor's keys are replaced     with keys which use an unsupported algorithm. Versions     affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1,     9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3     of BIND 9 Supported Preview Edition. Versions 9.13.0 ->     9.13.6 of the 9.13 development branch are also     affected. Versions prior to BIND 9.9.0 have not been     evaluated for vulnerability to     CVE-2018-5745.(CVE-2018-5745)

  - Controls for zone transfers may not be properly applied     to Dynamically Loadable Zones (DLZs) if the zones are     writable Versions affected: BIND 9.9.0 -> 9.10.8-P1,     9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions     9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview     Edition. Versions 9.13.0 -> 9.13.6 of the 9.13     development branch are also affected. Versions prior to     BIND 9.9.0 have not been evaluated for vulnerability to     CVE-2019-6465.(CVE-2019-6465)

  - ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1,     and 9.11.x through 9.11.0b1 allows primary DNS servers     to cause a denial of service (secondary DNS server     crash) via a large AXFR response, and possibly allows     IXFR servers to cause a denial of service (IXFR client     crash) via a large IXFR response and allows remote     authenticated users to cause a denial of service     (primary DNS server crash) via a large UPDATE     message.(CVE-2016-6170)

  - To provide fine-grained controls over the ability to     use Dynamic DNS (DDNS) to update records in a zone,     BIND 9 provides a feature called update-policy. Various     rules can be configured to limit the types of updates     that can be performed by a client, depending on the key     used when sending the update request. Unfortunately,     some rule types were not initially documented, and when     documentation for them was added to the Administrator     Reference Manual (ARM) in change #3112, the language     that was added to the ARM at that time incorrectly     described the behavior of two rule types,     krb5-subdomain and ms-subdomain. This incorrect     documentation could mislead operators into believing     that policies they had configured were more restrictive     than they actually were. This affects BIND versions     prior to BIND 9.11.5 and BIND 9.12.3.(CVE-2018-5741)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the bind packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - To provide fine-grained controls over the ability to     use Dynamic DNS (DDNS) to update records in a zone,     BIND 9 provides a feature called update-policy. Various     rules can be configured to limit the types of updates     that can be performed by a client, depending on the key     used when sending the update request. Unfortunately,     some rule types were not initially documented, and when     documentation for them was added to the Administrator     Reference Manual (ARM) in change #3112, the language     that was added to the ARM at that time incorrectly     described the behavior of two rule types,     krb5-subdomain and ms-subdomain. This incorrect     documentation could mislead operators into believing     that policies they had configured were more restrictive     than they actually were. This affects BIND versions     prior to BIND 9.11.5 and BIND 9.12.3.(CVE-2018-5741)

  - 'managed-keys' is a feature which allows a BIND     resolver to automatically maintain the keys used by     trust anchors which operators configure for use in     DNSSEC validation. Due to an error in the managed-keys     feature it is possible for a BIND server which uses     managed-keys to exit due to an assertion failure if,     during key rollover, a trust anchor's keys are replaced     with keys which use an unsupported algorithm. Versions     affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1,     9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3     of BIND 9 Supported Preview Edition. Versions 9.13.0 ->     9.13.6 of the 9.13 development branch are also     affected. Versions prior to BIND 9.9.0 have not been     evaluated for vulnerability to     CVE-2018-5745.(CVE-2018-5745)

  - Controls for zone transfers may not be properly applied     to Dynamically Loadable Zones (DLZs) if the zones are     writable Versions affected: BIND 9.9.0 -> 9.10.8-P1,     9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions     9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview     Edition. Versions 9.13.0 -> 9.13.6 of the 9.13     development branch are also affected. Versions prior to     BIND 9.9.0 have not been evaluated for vulnerability to     CVE-2019-6465.(CVE-2019-6465)

  - ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1,     and 9.11.x through 9.11.0b1 allows primary DNS servers     to cause a denial of service (secondary DNS server     crash) via a large AXFR response, and possibly allows     IXFR servers to cause a denial of service (IXFR client     crash) via a large IXFR response and allows remote     authenticated users to cause a denial of service     (primary DNS server crash) via a large UPDATE     message.(CVE-2016-6170)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the bind packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - 'managed-keys' is a feature which allows a BIND     resolver to automatically maintain the keys used by     trust anchors which operators configure for use in     DNSSEC validation. Due to an error in the managed-keys     feature it is possible for a BIND server which uses     managed-keys to exit due to an assertion failure if,     during key rollover, a trust anchor's keys are replaced     with keys which use an unsupported algorithm. Versions     affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1,     9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3     of BIND 9 Supported Preview Edition. Versions 9.13.0 ->     9.13.6 of the 9.13 development branch are also     affected. Versions prior to BIND 9.9.0 have not been     evaluated for vulnerability to     CVE-2018-5745.(CVE-2018-5745)

  - ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1,     and 9.11.x through 9.11.0b1 allows primary DNS servers     to cause a denial of service (secondary DNS server     crash) via a large AXFR response, and possibly allows     IXFR servers to cause a denial of service (IXFR client     crash) via a large IXFR response and allows remote     authenticated users to cause a denial of service     (primary DNS server crash) via a large UPDATE     message.(CVE-2016-6170)

  - Controls for zone transfers may not be properly applied     to Dynamically Loadable Zones (DLZs) if the zones are     writable Versions affected: BIND 9.9.0 -> 9.10.8-P1,     9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions     9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview     Edition. Versions 9.13.0 -> 9.13.6 of the 9.13     development branch are also affected. Versions prior to     BIND 9.9.0 have not been evaluated for vulnerability to     CVE-2019-6465.(CVE-2019-6465)

  - To provide fine-grained controls over the ability to     use Dynamic DNS (DDNS) to update records in a zone,     BIND 9 provides a feature called update-policy. Various     rules can be configured to limit the types of updates     that can be performed by a client, depending on the key     used when sending the update request. Unfortunately,     some rule types were not initially documented, and when     documentation for them was added to the Administrator     Reference Manual (ARM) in change #3112, the language     that was added to the ARM at that time incorrectly     described the behavior of two rule types,     krb5-subdomain and ms-subdomain. This incorrect     documentation could mislead operators into believing     that policies they had configured were more restrictive     than they actually were. This affects BIND versions     prior to BIND 9.11.5 and BIND 9.12.3.(CVE-2018-5741)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has bind packages installed that are affected by a vulnerability:

  - To provide fine-grained controls over the ability to use     Dynamic DNS (DDNS) to update records in a zone, BIND 9     provides a feature called update-policy. Various rules     can be configured to limit the types of updates that can     be performed by a client, depending on the key used when     sending the update request. Unfortunately, some rule     types were not initially documented, and when     documentation for them was added to the Administrator     Reference Manual (ARM) in change #3112, the language     that was added to the ARM at that time incorrectly     described the behavior of two rule types, krb5-subdomain     and ms-subdomain. This incorrect documentation could     mislead operators into believing that policies they had     configured were more restrictive than they actually     were. This affects BIND versions prior to BIND 9.11.5     and BIND 9.12.3. (CVE-2018-5741)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for bind is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

The following packages have been upgraded to a later upstream version:
bind (9.11.4). (BZ#1640561)

Security Fix(es) :

* bind: Incorrect documentation of krb5-subdomain and ms-subdomain update policies (CVE-2018-5741)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

The following packages have been upgraded to a later upstream version:
bind (9.11.4).

Security Fix(es) :

  - bind: Incorrect documentation of krb5-subdomain and     ms-subdomain update policies (CVE-2018-5741)

To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were.(CVE-2018-5741)

To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. (CVE-2018-5741)

The remote host is affected by the vulnerability described in GLSA-201903-13 (BIND: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in BIND. Please review the       CVE identifiers referenced below for details.
  Impact :

    BIND can improperly permit recursive query service to unauthorized       clients possibly resulting in a Denial of Service condition or to be used       in DNS reflection attacks.
  Workaround :

    There is no known workaround at this time.

- Update to bind-9.11.4-P2

  - Add /dev/urandom to chroot (#1631515)

  - Fix multilib conflicts of devel package

  - Add support for OpenSSL provided random data

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the instance of ISC 9.x.x prior to 9.11.5, or 9.12.x prior to 9.12.3. It is, therefore, affected by a policy bypass record update vulnerability.

Update to bind 9.11.4-P2

  - Fixes CVE-2018-5741

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
135622	EulerOS Virtualization 3.0.2.2 : bind (EulerOS-SA-2020-1460)	Nessus	Huawei Local Security Checks	medium
134492	EulerOS Virtualization for ARM 64 3.0.2.0 : bind (EulerOS-SA-2020-1203)	Nessus	Huawei Local Security Checks	medium
132476	NewStart CGSL CORE 5.05 / MAIN 5.05 : bind Vulnerability (NS-SA-2019-0232)	Nessus	NewStart CGSL Local Security Checks	medium
132274	EulerOS 2.0 SP3 : bind (EulerOS-SA-2019-2557)	Nessus	Huawei Local Security Checks	medium
131607	EulerOS 2.0 SP2 : bind (EulerOS-SA-2019-2453)	Nessus	Huawei Local Security Checks	medium
130837	EulerOS 2.0 SP5 : bind (EulerOS-SA-2019-2128)	Nessus	Huawei Local Security Checks	medium
129892	NewStart CGSL CORE 5.04 / MAIN 5.04 : bind Vulnerability (NS-SA-2019-0191)	Nessus	NewStart CGSL Local Security Checks	medium
128344	CentOS 7 : bind (CESA-2019:2057)	Nessus	CentOS Local Security Checks	medium
128208	Scientific Linux Security Update : bind on SL7.x x86_64 (20190806)	Nessus	Scientific Linux Local Security Checks	medium
127663	RHEL 7 : bind (RHSA-2019:2057)	Nessus	Red Hat Local Security Checks	medium
124123	Amazon Linux 2 : bind (ALAS-2019-1187)	Nessus	Amazon Linux Local Security Checks	medium
123956	Amazon Linux AMI : bind (ALAS-2019-1187)	Nessus	Amazon Linux Local Security Checks	medium
122835	GLSA-201903-13 : BIND: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
120900	Fedora 28 : 32:bind (2018-f22b937f52)	Nessus	Fedora Local Security Checks	medium
120673	Fedora 29 : 32:bind (2018-a54e46032f)	Nessus	Fedora Local Security Checks	medium
119264	ISC BIND 9.x.x < 9.11.5 / 9.12.x < 9.12.3 Policy-Bypass Record Update Vulnerability	Nessus	DNS	medium
118101	Fedora 27 : 32:bind (2018-54d84b0b0c)	Nessus	Fedora Local Security Checks	medium

CVE-2018-5741

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins