CVE-2018-5741

Name of the Vulnerable Software and Affected Versions: BIND versions prior to 9.11.5 BIND versions prior to 9.12.3

Description: The issue is related to the update-policy feature in BIND, which provides fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone. The feature allows various rules to be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. However, some rule types were not initially documented, and when documentation for them was added, it incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. The vulnerability is associated with incorrect authorization in the implementation of the automatic update method in the Dynamic DNS (DDNS) system of the BIND DNS server.

Recommendations: For BIND versions prior to 9.11.5, update to version 9.11.5 or later to resolve the issue. For BIND versions prior to 9.12.3, update to version 9.12.3 or later to resolve the issue. As a temporary workaround, consider reviewing and adjusting the update-policy configurations to ensure they are more restrictive than initially thought, until a patch is available.