{"containers": {"cna": {"affected": [{"product": "BIND 9", "vendor": "ISC", "versions": [{"status": "affected", "version": "9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition."}]}], "credits": [{"lang": "en", "value": " ISC would like to thank Andrew Skalski for reporting this issue."}], "datePublic": "2018-05-18T00:00:00", "descriptions": [{"lang": "en", "value": "Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the \"allow-recursion\" setting, it SHOULD default to one of the following: none, if \"recursion no;\" is set in named.conf; a value inherited from the \"allow-query-cache\" or \"allow-query\" settings IF \"recursion yes;\" (the default for that setting) AND match lists are explicitly set for \"allow-query-cache\" or \"allow-query\" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of \"allow-recursion {localhost; localnets;};\" if \"recursion yes;\" is in effect and no values are explicitly set for \"allow-query-cache\" or \"allow-query\". However, because of the regression introduced by change #4777, it is possible when \"recursion yes;\" is in effect and no match list values are provided for \"allow-query-cache\" or \"allow-query\" for the setting of \"allow-recursion\" to inherit a setting of all hosts from the \"allow-query\" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition."}], "exploits": [{"lang": "en", "value": "We are not aware of any exploits deliberately targeting this specific defect but it is not uncommon for scanners to search for open resolvers for use in reflection attacks and other mischief. We have at least one report from an operator who discovered that unauthorized clients were successfully making queries to his server and it is reasonable to assume that other servers with similar configurations may be currently affected although their operators are unaware."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "There are several potential problems which can be caused by improperly permitting recursive service to unauthorized clients, including:\n\n Additional queries from unauthorized clients may increase the load on a server, possibly degrading service to authorized clients.\n Allowing queries from unauthorized clients can potentially allow a server to be co-opted for use in DNS reflection attacks.\n An attacker may be able to deduce which queries a server has previously serviced by examining the results of queries answered from the cache, potentially leaking private information about what queries have been performed.\n", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-30T16:06:09", "orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc"}, "references": [{"name": "USN-3683-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3683-1/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://kb.isc.org/docs/aa-01616"}, {"name": "1041115", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1041115"}, {"name": "GLSA-201903-13", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201903-13"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20190830-0002/"}], "solutions": [{"lang": "en", "value": "Future maintenance releases of BIND will correct the regression which introduced this issue but ISC does not believe that replacement security releases of BIND are required, given that several easy, safe, and completely effective configuration workarounds are available for any operators with affected configurations. However, an advance version of the patch diff which will be applied to future versions is available upon request to security-officer@isc.org and a correction for the behavior in question will debut in the release candidates for BIND 9.9.13, BIND 9.10.8, BIND 9.11.4, and BIND 9.12.2."}], "source": {"discovery": "UNKNOWN"}, "title": "Some versions of BIND can improperly permit recursive query service to unauthorized clients", "workarounds": [{"lang": "en", "value": "A number of configuration workarounds are available which completely avoid the problem. \n\nIf an operator has not chosen to specify some other permission, explicitly specifying \"allow-query {localnets; localhost;};\" in named.conf will provide behavior equivalent to the intended default.\n\nIf the default setting is not appropriate (because the operator wants a different behavior) then depending on which clients are intended to be able to receive service for recursive queries, explicitly setting a match list value for any of:\n\n allow-recursion\n allow-query\n allow-query-cache\n\nwill prevent the \"allow-recursion\" control from improperly inheriting a setting from the allow-query default. If a value is set for any of those values the behavior of allow-recursion will be set directly or inherited from one of the other values as described in the BIND Adminstrator Reference Manual section 6.2.\n\nServers which are not intended to perform recursion at all may also effectively prevent this condition by setting \"recursion no;\" in named.conf."}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-officer@isc.org", "DATE_PUBLIC": "2018-05-18T00:00:00.000Z", "ID": "CVE-2018-5738", "STATE": "PUBLIC", "TITLE": "Some versions of BIND can improperly permit recursive query service to unauthorized clients"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "BIND 9", "version": {"version_data": [{"version_value": "9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition."}]}}]}, "vendor_name": "ISC"}]}}, "credit": [{"lang": "eng", "value": " ISC would like to thank Andrew Skalski for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the \"allow-recursion\" setting, it SHOULD default to one of the following: none, if \"recursion no;\" is set in named.conf; a value inherited from the \"allow-query-cache\" or \"allow-query\" settings IF \"recursion yes;\" (the default for that setting) AND match lists are explicitly set for \"allow-query-cache\" or \"allow-query\" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of \"allow-recursion {localhost; localnets;};\" if \"recursion yes;\" is in effect and no values are explicitly set for \"allow-query-cache\" or \"allow-query\". However, because of the regression introduced by change #4777, it is possible when \"recursion yes;\" is in effect and no match list values are provided for \"allow-query-cache\" or \"allow-query\" for the setting of \"allow-recursion\" to inherit a setting of all hosts from the \"allow-query\" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition."}]}, "exploit": [{"lang": "en", "value": "We are not aware of any exploits deliberately targeting this specific defect but it is not uncommon for scanners to search for open resolvers for use in reflection attacks and other mischief. We have at least one report from an operator who discovered that unauthorized clients were successfully making queries to his server and it is reasonable to assume that other servers with similar configurations may be currently affected although their operators are unaware."}], "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "There are several potential problems which can be caused by improperly permitting recursive service to unauthorized clients, including:\n\n Additional queries from unauthorized clients may increase the load on a server, possibly degrading service to authorized clients.\n Allowing queries from unauthorized clients can potentially allow a server to be co-opted for use in DNS reflection attacks.\n An attacker may be able to deduce which queries a server has previously serviced by examining the results of queries answered from the cache, potentially leaking private information about what queries have been performed.\n"}]}]}, "references": {"reference_data": [{"name": "USN-3683-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3683-1/"}, {"name": "https://kb.isc.org/docs/aa-01616", "refsource": "CONFIRM", "url": "https://kb.isc.org/docs/aa-01616"}, {"name": "1041115", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1041115"}, {"name": "GLSA-201903-13", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201903-13"}, {"name": "https://security.netapp.com/advisory/ntap-20190830-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20190830-0002/"}]}, "solution": [{"lang": "en", "value": "Future maintenance releases of BIND will correct the regression which introduced this issue but ISC does not believe that replacement security releases of BIND are required, given that several easy, safe, and completely effective configuration workarounds are available for any operators with affected configurations. However, an advance version of the patch diff which will be applied to future versions is available upon request to security-officer@isc.org and a correction for the behavior in question will debut in the release candidates for BIND 9.9.13, BIND 9.10.8, BIND 9.11.4, and BIND 9.12.2."}], "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "A number of configuration workarounds are available which completely avoid the problem. \n\nIf an operator has not chosen to specify some other permission, explicitly specifying \"allow-query {localnets; localhost;};\" in named.conf will provide behavior equivalent to the intended default.\n\nIf the default setting is not appropriate (because the operator wants a different behavior) then depending on which clients are intended to be able to receive service for recursive queries, explicitly setting a match list value for any of:\n\n allow-recursion\n allow-query\n allow-query-cache\n\nwill prevent the \"allow-recursion\" control from improperly inheriting a setting from the allow-query default. If a value is set for any of those values the behavior of allow-recursion will be set directly or inherited from one of the other values as described in the BIND Adminstrator Reference Manual section 6.2.\n\nServers which are not intended to perform recursion at all may also effectively prevent this condition by setting \"recursion no;\" in named.conf."}]}}}, "cveMetadata": {"assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "assignerShortName": "isc", "cveId": "CVE-2018-5738", "datePublished": "2018-05-18T00:00:00", "dateReserved": "2018-01-17T00:00:00", "dateUpdated": "2019-08-30T16:06:09", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:isc:bind:9.9.12:*:*:*:*:*:*:*", "matchCriteriaId": "CEBAAC23-A533-4688-9BF4-1819C600D6FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.12:s1:*:*:*:*:*:*", "matchCriteriaId": "71776282-A512-4AF8-A3ED-D9CB0A768410", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.10.7:*:*:*:*:*:*:*", "matchCriteriaId": "01452454-B7CC-4909-8B2B-B4DF06F8CB4F", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.10.7:s1:*:*:*:*:*:*", "matchCriteriaId": "F5410A39-A1B8-42BB-9C1B-EC50B1677144", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.3:*:*:*:*:*:*:*", "matchCriteriaId": "46216E94-DC78-4338-BAFA-C88FA202948C", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.3:s1:*:*:*:*:*:*", "matchCriteriaId": "07F165FC-15DF-44F1-B578-A592045BEDEF", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.3:s2:*:*:*:*:*:*", "matchCriteriaId": "E8D007DF-0C42-444F-9D43-C52024A0C600", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "5DCE4BD2-2256-473F-B17F-192CAC145DF1", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.12.0:a1:*:*:*:*:*:*", "matchCriteriaId": "F72B798C-6FF1-41D2-83BC-BBA8F0C71DDE", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.12.0:b1:*:*:*:*:*:*", "matchCriteriaId": "1653E806-4F31-4ACA-B51F-5F0067D99208", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.12.0:b2:*:*:*:*:*:*", "matchCriteriaId": "8E5AB236-CBDE-48F3-B6E1-5C6B08996ED7", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.12.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F57F84D2-76D0-42B9-BA61-96204F527B7A", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.12.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "FF6D296A-A353-4D4D-BAD7-38E02A7AF298", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.12.1:*:*:*:*:*:*:*", "matchCriteriaId": "440CFE40-C9B7-4E6E-800D-DD595F8FC38E", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.12.1:p1:*:*:*:*:*:*", "matchCriteriaId": "F1E36C76-E5E0-42B9-ABF4-F71CE831A62B", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.12.1:p2:*:*:*:*:*:*", "matchCriteriaId": "5AE4CCD7-7825-4422-A972-E19984076091", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.13.0:*:*:*:*:*:*:*", "matchCriteriaId": "D425D9A9-872D-444D-B5DA-74CB5F775FC6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the \"allow-recursion\" setting, it SHOULD default to one of the following: none, if \"recursion no;\" is set in named.conf; a value inherited from the \"allow-query-cache\" or \"allow-query\" settings IF \"recursion yes;\" (the default for that setting) AND match lists are explicitly set for \"allow-query-cache\" or \"allow-query\" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of \"allow-recursion {localhost; localnets;};\" if \"recursion yes;\" is in effect and no values are explicitly set for \"allow-query-cache\" or \"allow-query\". However, because of the regression introduced by change #4777, it is possible when \"recursion yes;\" is in effect and no match list values are provided for \"allow-query-cache\" or \"allow-query\" for the setting of \"allow-recursion\" to inherit a setting of all hosts from the \"allow-query\" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition."}, {"lang": "es", "value": "El cambio #4777 (presentado en octubre de 2017) introdujo un problema no imaginado en las versiones lanzadas tras esa fecha, que afecta a los clientes que pueden realizar consultas recursivas a un servidor de nombre de BIND. El comportamiento planeado (y documentado) es que, si un operador no ha especificado un valor para la opci\u00f3n \"allow-recursion\", DEBER\u00cdA ser por defecto uno de los siguientes: si \"recursion no;\" est\u00e1 configurado como named.conf; un valor heredado de las opciones \"allow-query-cache\" o \"allow-query\" SI \"recursion yes;\" (la opci\u00f3n por defecto) Y las listas de coincidencias est\u00e1 configuradas de forma expl\u00edcita para \"allow-query-cache\" o \"allow-query\" (v\u00e9ase el manual de referencia administrativa de BIND9, secci\u00f3n 6.2, para m\u00e1s detalles); o la opci\u00f3n por defecto planeada de \"allow-recursion {localhost; localnets;};\" si \"recursion yes;\" est\u00e1 en uso y no hay valores configurados de forma expl\u00edcita para \"allow-query-cache\" o \"allow-query\". Sin embargo, debido a la regresi\u00f3n introducida por el cambio #4777, es posible que, cuando \"recursion yes;\" est\u00e1 en uso y no se proporcionan valores de lista de coincidencias para \"allow-query-cache\" o \"allow-query\" para la configuraci\u00f3n de \"allow-recursion\", se herede una configuraci\u00f3n de todos los hosts de la opci\u00f3n por defecto \"allow-query\". Esto permite de forma incorrecta la recursi\u00f3n a todos los clientes. Afecta a BIND en versiones 9.9.12, 9.10.7, 9.11.3, desde la versi\u00f3n 9.12.0 hasta la 9.12.1-P2, la versi\u00f3n de desarrollo 9.13.0, adem\u00e1s de las versiones 9.9.12-S1, 9.10.7-S1, 9.11.3-S1 y 9.11.3-S2 de BIND 9 Supported Preview Edition."}], "id": "CVE-2018-5738", "lastModified": "2019-08-30T17:15:11.207", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-officer@isc.org", "type": "Secondary"}]}, "published": "2019-01-16T20:29:00.907", "references": [{"source": "security-officer@isc.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1041115"}, {"source": "security-officer@isc.org", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://kb.isc.org/docs/aa-01616"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201903-13"}, {"source": "security-officer@isc.org", "url": "https://security.netapp.com/advisory/ntap-20190830-0002/"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3683-1/"}], "sourceIdentifier": "security-officer@isc.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}