RHSA-2019:3552

https://kb.isc.org/docs/cve-2019-6465

According to the versions of the bind packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - To provide fine-grained controls over the ability to     use Dynamic DNS (DDNS) to update records in a zone,     BIND 9 provides a feature called update-policy. Various     rules can be configured to limit the types of updates     that can be performed by a client, depending on the key     used when sending the update request. Unfortunately,     some rule types were not initially documented, and when     documentation for them was added to the Administrator     Reference Manual (ARM) in change #3112, the language     that was added to the ARM at that time incorrectly     described the behavior of two rule types,     krb5-subdomain and ms-subdomain. This incorrect     documentation could mislead operators into believing     that policies they had configured were more restrictive     than they actually were. This affects BIND versions     prior to BIND 9.11.5 and BIND 9.12.3.(CVE-2018-5741)

  - 'managed-keys' is a feature which allows a BIND     resolver to automatically maintain the keys used by     trust anchors which operators configure for use in     DNSSEC validation. Due to an error in the managed-keys     feature it is possible for a BIND server which uses     managed-keys to exit due to an assertion failure if,     during key rollover, a trust anchor's keys are replaced     with keys which use an unsupported algorithm. Versions     affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1,     9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3     of BIND 9 Supported Preview Edition. Versions 9.13.0 ->     9.13.6 of the 9.13 development branch are also     affected. Versions prior to BIND 9.9.0 have not been     evaluated for vulnerability to     CVE-2018-5745.(CVE-2018-5745)

  - Controls for zone transfers may not be properly applied     to Dynamically Loadable Zones (DLZs) if the zones are     writable Versions affected: BIND 9.9.0 -> 9.10.8-P1,     9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions     9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview     Edition. Versions 9.13.0 -> 9.13.6 of the 9.13     development branch are also affected. Versions prior to     BIND 9.9.0 have not been evaluated for vulnerability to     CVE-2019-6465.(CVE-2019-6465)

  - ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1,     and 9.11.x through 9.11.0b1 allows primary DNS servers     to cause a denial of service (secondary DNS server     crash) via a large AXFR response, and possibly allows     IXFR servers to cause a denial of service (IXFR client     crash) via a large IXFR response and allows remote     authenticated users to cause a denial of service     (primary DNS server crash) via a large UPDATE     message.(CVE-2016-6170)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the bind packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - Change #4777 (introduced in October 2017) introduced an     unforeseen issue in releases which were issued after     that date, affecting which clients are permitted to     make recursive queries to a BIND nameserver. The     intended (and documented) behavior is that if an     operator has not specified a value for the     'allow-recursion' setting, it SHOULD default to one of     the following: none, if 'recursion no' is set in     named.conf a value inherited from the     'allow-query-cache' or 'allow-query' settings IF     'recursion yes' (the default for that setting) AND     match lists are explicitly set for 'allow-query-cache'     or 'allow-query' (see the BIND9 Administrative     Reference Manual section 6.2 for more details) or the     intended default of 'allow-recursion {localhost     localnets}' if 'recursion yes' is in effect and no     values are explicitly set for 'allow-query-cache' or     'allow-query'. However, because of the regression     introduced by change #4777, it is possible when     'recursion yes' is in effect and no match list values     are provided for 'allow-query-cache' or 'allow-query'     for the setting of 'allow-recursion' to inherit a     setting of all hosts from the 'allow-query' setting     default, improperly permitting recursion to all     clients. Affects BIND 9.9.12, 9.10.7, 9.11.3,     9.12.0->9.12.1-P2, the development release 9.13.0, and     also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and     9.11.3-S2 from BIND 9 Supported Preview     Edition.(CVE-2018-5738)

  - Controls for zone transfers may not be properly applied     to Dynamically Loadable Zones (DLZs) if the zones are     writable Versions affected: BIND 9.9.0 -> 9.10.8-P1,     9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions     9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview     Edition. Versions 9.13.0 -> 9.13.6 of the 9.13     development branch are also affected. Versions prior to     BIND 9.9.0 have not been evaluated for vulnerability to     CVE-2019-6465.(CVE-2019-6465)

  - 'managed-keys' is a feature which allows a BIND     resolver to automatically maintain the keys used by     trust anchors which operators configure for use in     DNSSEC validation. Due to an error in the managed-keys     feature it is possible for a BIND server which uses     managed-keys to exit due to an assertion failure if,     during key rollover, a trust anchor's keys are replaced     with keys which use an unsupported algorithm. Versions     affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1,     9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3     of BIND 9 Supported Preview Edition. Versions 9.13.0 ->     9.13.6 of the 9.13 development branch are also     affected. Versions prior to BIND 9.9.0 have not been     evaluated for vulnerability to     CVE-2018-5745.(CVE-2018-5745)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the bind packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - 'managed-keys' is a feature which allows a BIND     resolver to automatically maintain the keys used by     trust anchors which operators configure for use in     DNSSEC validation. Due to an error in the managed-keys     feature it is possible for a BIND server which uses     managed-keys to exit due to an assertion failure if,     during key rollover, a trust anchor's keys are replaced     with keys which use an unsupported algorithm. Versions     affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1,     9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3     of BIND 9 Supported Preview Edition. Versions 9.13.0 ->     9.13.6 of the 9.13 development branch are also     affected. Versions prior to BIND 9.9.0 have not been     evaluated for vulnerability to     CVE-2018-5745.(CVE-2018-5745)

  - ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1,     and 9.11.x through 9.11.0b1 allows primary DNS servers     to cause a denial of service (secondary DNS server     crash) via a large AXFR response, and possibly allows     IXFR servers to cause a denial of service (IXFR client     crash) via a large IXFR response and allows remote     authenticated users to cause a denial of service     (primary DNS server crash) via a large UPDATE     message.(CVE-2016-6170)

  - Controls for zone transfers may not be properly applied     to Dynamically Loadable Zones (DLZs) if the zones are     writable Versions affected: BIND 9.9.0 -> 9.10.8-P1,     9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions     9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview     Edition. Versions 9.13.0 -> 9.13.6 of the 9.13     development branch are also affected. Versions prior to     BIND 9.9.0 have not been evaluated for vulnerability to     CVE-2019-6465.(CVE-2019-6465)

  - To provide fine-grained controls over the ability to     use Dynamic DNS (DDNS) to update records in a zone,     BIND 9 provides a feature called update-policy. Various     rules can be configured to limit the types of updates     that can be performed by a client, depending on the key     used when sending the update request. Unfortunately,     some rule types were not initially documented, and when     documentation for them was added to the Administrator     Reference Manual (ARM) in change #3112, the language     that was added to the ARM at that time incorrectly     described the behavior of two rule types,     krb5-subdomain and ms-subdomain. This incorrect     documentation could mislead operators into believing     that policies they had configured were more restrictive     than they actually were. This affects BIND versions     prior to BIND 9.11.5 and BIND 9.12.3.(CVE-2018-5741)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for bind is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix(es) :

* bind: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using managed-keys (CVE-2018-5745)

* bind: Controls for zone transfers may not be properly applied to DLZs if the zones are writable (CVE-2019-6465)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.

This update for bind fixes the following issues :

Security issues fixed :

CVE-2019-6465: Fixed an issue where controls for zone transfers may not be properly applied to Dynamically Loadable Zones (bsc#1126069).

CVE-2019-6471: Fixed a reachable assert in dispatch.c. (bsc#1138687)

CVE-2018-5745: Fixed a denial of service vulnerability if a trust anchor rolls over to an unsupported key algorithm when using managed-keys (bsc#1126068).

CVE-2018-5743: Fixed a denial of service vulnerability which could be caused by to many simultaneous TCP connections (bsc#1133185).

CVE-2018-5740: Fixed a denial of service vulnerability in the 'deny-answer-aliases' feature (bsc#1104129).

Non-security issues fixed: Don't rely on /etc/insserv.conf anymore for proper dependencies against nss-lookup.target in named.service and lwresd.service (bsc#1118367, bsc#1118368).

Fix FIPS related regression (bsc#1128220).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the bind packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An assertion failure was found in the way bind     implemented the 'managed keys' feature. An attacker     could use this flaw to cause the named daemon to crash.
    This flaw is very difficult for an attacker to trigger     because it requires an operator to have BIND configured     to use a trust anchor managed by the     attacker.(CVE-2018-5745)

  - It was found that the controls for zone transfer were     not properly applied to Dynamically Loadable Zones     (DLZs). An attacker acting as a DNS client could use     this flaw to request and receive a zone transfer of a     DLZ even when not permitted to do so by the     'allow-transfer' ACL.(CVE-2019-6465)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for bind fixes the following issues :

Security issues fixed :

  - CVE-2019-6465: Fixed an issue where controls for zone     transfers may not be properly applied to Dynamically     Loadable Zones (bsc#1126069).

  - CVE-2018-5745: Fixed a denial of service vulnerability     if a trust anchor rolls over to an unsupported key     algorithm when using managed-keys (bsc#1126068).

  - CVE-2018-5743: Fixed a denial of service vulnerability     which could be caused by to many simultaneous TCP     connections (bsc#1133185).

  - CVE-2018-5740: Fixed a denial of service vulnerability     in the 'deny-answer-aliases' feature (bsc#1104129).

This update was imported from the SUSE:SLE-15:Update update project.

This update for bind fixes the following issues :

Security issues fixed :

  - CVE-2018-5740: Fixed a denial of service vulnerability     in the 'deny-answer-aliases' feature (bsc#1104129).

  - CVE-2019-6465: Fixed an issue where controls for zone     transfers may not be properly applied to Dynamically     Loadable Zones (bsc#1126069).

  - CVE-2018-5745: An assertion failure can occur if a trust     anchor rolls over to an unsupported key algorithm when     using managed-keys. (bsc#1126068)

  - CVE-2018-5743: Limiting simultaneous TCP clients is     ineffective. (bsc#1133185)

This update was imported from the SUSE:SLE-12-SP1:Update update project.

This update for bind fixes the following issues :

Security issues fixed :

CVE-2018-5740: Fixed a denial of service vulnerability in the 'deny-answer-aliases' feature (bsc#1104129).

CVE-2019-6465: Fixed an issue where controls for zone transfers may not be properly applied to Dynamically Loadable Zones (bsc#1126069).

CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys.
(bsc#1126068)

CVE-2018-5743: Limiting simultaneous TCP clients is ineffective.
(bsc#1133185)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for bind fixes the following issues :

Security issues fixed :

CVE-2018-5740: Fixed a denial of service vulnerability in the 'deny-answer-aliases' feature (bsc#1104129).

CVE-2018-5743: Limiting simultaneous TCP clients is ineffective.
(bsc#1133185)

CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys.
(bsc#1126068)

CVE-2019-6465: Fixed an issue where controls for zone transfers may not be properly applied to Dynamically Loadable Zones (bsc#1126069).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for bind fixes the following issues :

Security issues fixed :

CVE-2019-6465: Fixed an issue where controls for zone transfers may not be properly applied to Dynamically Loadable Zones (bsc#1126069).

CVE-2018-5745: Fixed a denial of service vulnerability if a trust anchor rolls over to an unsupported key algorithm when using managed-keys (bsc#1126068).

CVE-2018-5743: Fixed a denial of service vulnerability which could be caused by to many simultaneous TCP connections (bsc#1133185).

CVE-2018-5740: Fixed a denial of service vulnerability in the 'deny-answer-aliases' feature (bsc#1104129).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities were found in the BIND DNS server :

  - CVE-2018-5743     Connection limits were incorrectly enforced.

  - CVE-2018-5745     The 'managed-keys' feature was susceptible to denial of     service by triggering an assert.

  - CVE-2019-6465     ACLs for zone transfers were incorrectly enforced for     dynamically loadable zones (DLZs).

**RESERVED** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.
When the candidate has been publicized, the details for this candidate will be provided.(CVE-2019-6465)

Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable.

Impact

BIG-IP

An attacker can exploit this vulnerabilitytorequest and receive a zonetransfer of a DLZ that bypassestheallow-transfer accesscontrol list.

BIG-IQ, F5 iWorkflow, and Enterprise Manager

These F5 products are not vulnerablein the default, standard, and recommended configurations. This vulnerability is exposed on these products when a custom configurationis applied to the named service.

Traffix SDC

There is no impact for this F5 product; it is not affected by this vulnerability.

Two issues have been found in bind9, the Internet Domain Name Server.

CVE-2019-6465 Zone transfer for DLZs are executed though not permitted by ACLs.

CVE-2018-5745 Avoid assertion and thus causing named to deliberately exit when a trust anchor's key is replaced with a key which uses an unsupported algorithm.

For Debian 8 'Jessie', these problems have been fixed in version 1:9.9.5.dfsg-9+deb8u17.

We recommend that you upgrade your bind9 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version, the instance of ISC BIND 9 running on the remote name server is between 9.9.0 and 9.10.8-P1, 9.11.0 and 9.11.5-P2, 9.12.0 and 9.12.3-P2, 9.9.3-S1 and 9.11.5-S3, & 9.13.0 and 9.13.6. It is, therefore, affected by a zone transfer vulnerability.

  - A zone transfer vulnerability exists for writable DLZ zones.  An     unauthenticated, remote attacker can exploit this, via     allowzonexfr method bypass, to bypass transfer controls.     (CVE-2019-6465)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Toshifumi Sakaguchi discovered that Bind incorrectly handled memory. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-5744)

It was discovered that Bind incorrectly handled certain trust anchors when used with the 'managed-keys' feature. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2018-5745)

It was discovered that Bind incorrectly handled certain controls for zone transfers, contrary to expectations. (CVE-2019-6465).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
131607	EulerOS 2.0 SP2 : bind (EulerOS-SA-2019-2453)	Nessus	Huawei Local Security Checks	medium
131486	EulerOS Virtualization for ARM 64 3.0.3.0 : bind (EulerOS-SA-2019-2321)	Nessus	Huawei Local Security Checks	medium
130837	EulerOS 2.0 SP5 : bind (EulerOS-SA-2019-2128)	Nessus	Huawei Local Security Checks	medium
130551	RHEL 8 : bind (RHSA-2019:3552)	Nessus	Red Hat Local Security Checks	medium
129526	SUSE SLED12 / SLES12 Security Update : bind (SUSE-SU-2019:2502-1)	Nessus	SuSE Local Security Checks	medium
128191	EulerOS 2.0 SP8 : bind (EulerOS-SA-2019-1822)	Nessus	Huawei Local Security Checks	medium
125808	openSUSE Security Update : bind (openSUSE-2019-1533)	Nessus	SuSE Local Security Checks	medium
125807	openSUSE Security Update : bind (openSUSE-2019-1532)	Nessus	SuSE Local Security Checks	medium
125799	SUSE SLES12 Security Update : bind (SUSE-SU-2019:1449-1)	Nessus	SuSE Local Security Checks	medium
125759	SUSE SLES11 Security Update : bind (SUSE-SU-2019:14074-1)	Nessus	SuSE Local Security Checks	medium
125703	SUSE SLED15 / SLES15 Security Update : bind (SUSE-SU-2019:1407-1)	Nessus	SuSE Local Security Checks	medium
124722	Debian DSA-4440-1 : bind9 - security update	Nessus	Debian Local Security Checks	medium
122553	F5 Networks BIG-IP : BIND vulnerability (K01713115)	Nessus	F5 Networks Local Security Checks	medium
122513	Debian DLA-1697-1 : bind9 security updat	Nessus	Debian Local Security Checks	medium
122507	ISC BIND Multiple Vulnerabilities	Nessus	DNS	medium
122399	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : bind9 vulnerabilities (USN-3893-1)	Nessus	Ubuntu Local Security Checks	medium

CVE-2019-6465

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins