CVE-2018-5738

Name of the Vulnerable Software and Affected Versions BIND 9 versions 9.9.12 through 9.9.12-S2 BIND 9 versions 9.10.7 through 9.10.7-S1 BIND 9 versions 9.11.3 through 9.11.3-S2 BIND 9 versions 9.12.0 through 9.12.1-P2 BIND 9 version 9.13.0

Description The issue is related to the bin/named/server.c component of the DNS BIND server, which lacks protection for service data. This could allow a remote attacker to gain unauthorized access to protected information. The problem affects the recursive query permission settings, potentially allowing unauthorized clients to make recursive queries to a BIND nameserver. This can lead to increased server load, participation in DNS reflection attacks, and potential leakage of private information about previously serviced queries.

Recommendations For BIND 9 versions 9.9.12 through 9.9.12-S2, update the allow-recursion setting to explicitly define permitted clients. For BIND 9 versions 9.10.7 through 9.10.7-S1, review and update the allow-query-cache or allow-query settings to ensure proper inheritance of allow-recursion values. For BIND 9 versions 9.11.3 through 9.11.3-S2, verify that recursion yes is in effect and set allow-recursion to the intended default of {localhost; localnets;} if no match list values are provided for allow-query-cache or allow-query. For BIND 9 versions 9.12.0 through 9.12.1-P2, and version 9.13.0, consider disabling recursive queries for unauthorized clients as a temporary workaround until a patch is available.