CVE-2018-5738

Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the "allow-recursion" setting, it SHOULD default to one of the following: none, if "recursion no;" is set in named.conf; a value inherited from the "allow-query-cache" or "allow-query" settings IF "recursion yes;" (the default for that setting) AND match lists are explicitly set for "allow-query-cache" or "allow-query" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of "allow-recursion {localhost; localnets;};" if "recursion yes;" is in effect and no values are explicitly set for "allow-query-cache" or "allow-query". However, because of the regression introduced by change #4777, it is possible when "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query" for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.securitytracker.com/id/1041115	Third Party Advisory VDB Entry
https://kb.isc.org/docs/aa-01616	Mitigation Vendor Advisory
https://security.gentoo.org/glsa/201903-13	Third Party Advisory
https://security.netapp.com/advisory/ntap-20190830-0002/
https://usn.ubuntu.com/3683-1/	Third Party Advisory
http://www.securitytracker.com/id/1041115	Third Party Advisory VDB Entry
https://kb.isc.org/docs/aa-01616	Mitigation Vendor Advisory
https://security.gentoo.org/glsa/201903-13	Third Party Advisory
https://security.netapp.com/advisory/ntap-20190830-0002/
https://usn.ubuntu.com/3683-1/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:isc:bind:9.9.12:::::::*
	cpe:2.3:a:isc:bind:9.9.12:s1::::::
	cpe:2.3:a:isc:bind:9.10.7:::::::*
	cpe:2.3:a:isc:bind:9.10.7:s1::::::
	cpe:2.3:a:isc:bind:9.11.3:::::::*
	cpe:2.3:a:isc:bind:9.11.3:s1::::::
	cpe:2.3:a:isc:bind:9.11.3:s2::::::
	cpe:2.3:a:isc:bind:9.12.0:::::::*
	cpe:2.3:a:isc:bind:9.12.0:a1::::::
	cpe:2.3:a:isc:bind:9.12.0:b1::::::
	cpe:2.3:a:isc:bind:9.12.0:b2::::::
	cpe:2.3:a:isc:bind:9.12.0:rc1::::::
	cpe:2.3:a:isc:bind:9.12.0:rc3::::::
	cpe:2.3:a:isc:bind:9.12.1:::::::*
	cpe:2.3:a:isc:bind:9.12.1:p1::::::
	cpe:2.3:a:isc:bind:9.12.1:p2::::::
	cpe:2.3:a:isc:bind:9.13.0:::::::*

Configuration 2 (hide)

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

History

21 Nov 2024, 04:09

Type	Values Removed	Values Added
References	~~() http://www.securitytracker.com/id/1041115 - Third Party Advisory, VDB Entry~~	() http://www.securitytracker.com/id/1041115 - Third Party Advisory, VDB Entry
References	~~() https://kb.isc.org/docs/aa-01616 - Mitigation, Vendor Advisory~~	() https://kb.isc.org/docs/aa-01616 - Mitigation, Vendor Advisory
References	~~() https://security.gentoo.org/glsa/201903-13 - Third Party Advisory~~	() https://security.gentoo.org/glsa/201903-13 - Third Party Advisory
References	~~() https://security.netapp.com/advisory/ntap-20190830-0002/ -~~	() https://security.netapp.com/advisory/ntap-20190830-0002/ -
References	~~() https://usn.ubuntu.com/3683-1/ - Third Party Advisory~~	() https://usn.ubuntu.com/3683-1/ - Third Party Advisory
CVSS	v2 : ~~5.0~~ v3 : ~~7.5~~	v2 : 5.0 v3 : 5.3

Information

Published : 2019-01-16 20:29

Updated : 2024-11-21 04:09

NVD link : CVE-2018-5738

Mitre link : CVE-2018-5738

CVE.ORG link : CVE-2018-5738

JSON object : View

Products Affected

canonical

ubuntu_linux

isc

bind

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2018-5738", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "security-officer@isc.org", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-01-16T20:29:00.907", "references": [{"url": "http://www.securitytracker.com/id/1041115", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security-officer@isc.org"}, {"url": "https://kb.isc.org/docs/aa-01616", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-officer@isc.org"}, {"url": "https://security.gentoo.org/glsa/201903-13", "tags": ["Third Party Advisory"], "source": "security-officer@isc.org"}, {"url": "https://security.netapp.com/advisory/ntap-20190830-0002/", "source": "security-officer@isc.org"}, {"url": "https://usn.ubuntu.com/3683-1/", "tags": ["Third Party Advisory"], "source": "security-officer@isc.org"}, {"url": "http://www.securitytracker.com/id/1041115", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://kb.isc.org/docs/aa-01616", "tags": ["Mitigation", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/201903-13", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20190830-0002/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://usn.ubuntu.com/3683-1/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the \"allow-recursion\" setting, it SHOULD default to one of the following: none, if \"recursion no;\" is set in named.conf; a value inherited from the \"allow-query-cache\" or \"allow-query\" settings IF \"recursion yes;\" (the default for that setting) AND match lists are explicitly set for \"allow-query-cache\" or \"allow-query\" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of \"allow-recursion {localhost; localnets;};\" if \"recursion yes;\" is in effect and no values are explicitly set for \"allow-query-cache\" or \"allow-query\". However, because of the regression introduced by change #4777, it is possible when \"recursion yes;\" is in effect and no match list values are provided for \"allow-query-cache\" or \"allow-query\" for the setting of \"allow-recursion\" to inherit a setting of all hosts from the \"allow-query\" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition."}, {"lang": "es", "value": "El cambio #4777 (presentado en octubre de 2017) introdujo un problema no imaginado en las versiones lanzadas tras esa fecha, que afecta a los clientes que pueden realizar consultas recursivas a un servidor de nombre de BIND. El comportamiento planeado (y documentado) es que, si un operador no ha especificado un valor para la opci\u00f3n \"allow-recursion\", DEBER\u00cdA ser por defecto uno de los siguientes: si \"recursion no;\" est\u00e1 configurado como named.conf; un valor heredado de las opciones \"allow-query-cache\" o \"allow-query\" SI \"recursion yes;\" (la opci\u00f3n por defecto) Y las listas de coincidencias est\u00e1 configuradas de forma expl\u00edcita para \"allow-query-cache\" o \"allow-query\" (v\u00e9ase el manual de referencia administrativa de BIND9, secci\u00f3n 6.2, para m\u00e1s detalles); o la opci\u00f3n por defecto planeada de \"allow-recursion {localhost; localnets;};\" si \"recursion yes;\" est\u00e1 en uso y no hay valores configurados de forma expl\u00edcita para \"allow-query-cache\" o \"allow-query\". Sin embargo, debido a la regresi\u00f3n introducida por el cambio #4777, es posible que, cuando \"recursion yes;\" est\u00e1 en uso y no se proporcionan valores de lista de coincidencias para \"allow-query-cache\" o \"allow-query\" para la configuraci\u00f3n de \"allow-recursion\", se herede una configuraci\u00f3n de todos los hosts de la opci\u00f3n por defecto \"allow-query\". Esto permite de forma incorrecta la recursi\u00f3n a todos los clientes. Afecta a BIND en versiones 9.9.12, 9.10.7, 9.11.3, desde la versi\u00f3n 9.12.0 hasta la 9.12.1-P2, la versi\u00f3n de desarrollo 9.13.0, adem\u00e1s de las versiones 9.9.12-S1, 9.10.7-S1, 9.11.3-S1 y 9.11.3-S2 de BIND 9 Supported Preview Edition."}], "lastModified": "2024-11-21T04:09:17.273", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:isc:bind:9.9.12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CEBAAC23-A533-4688-9BF4-1819C600D6FD"}, {"criteria": "cpe:2.3:a:isc:bind:9.9.12:s1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71776282-A512-4AF8-A3ED-D9CB0A768410"}, {"criteria": "cpe:2.3:a:isc:bind:9.10.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "01452454-B7CC-4909-8B2B-B4DF06F8CB4F"}, {"criteria": "cpe:2.3:a:isc:bind:9.10.7:s1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5410A39-A1B8-42BB-9C1B-EC50B1677144"}, {"criteria": "cpe:2.3:a:isc:bind:9.11.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46216E94-DC78-4338-BAFA-C88FA202948C"}, {"criteria": "cpe:2.3:a:isc:bind:9.11.3:s1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07F165FC-15DF-44F1-B578-A592045BEDEF"}, {"criteria": "cpe:2.3:a:isc:bind:9.11.3:s2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8D007DF-0C42-444F-9D43-C52024A0C600"}, {"criteria": "cpe:2.3:a:isc:bind:9.12.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DCE4BD2-2256-473F-B17F-192CAC145DF1"}, {"criteria": "cpe:2.3:a:isc:bind:9.12.0:a1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F72B798C-6FF1-41D2-83BC-BBA8F0C71DDE"}, {"criteria": "cpe:2.3:a:isc:bind:9.12.0:b1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1653E806-4F31-4ACA-B51F-5F0067D99208"}, {"criteria": "cpe:2.3:a:isc:bind:9.12.0:b2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E5AB236-CBDE-48F3-B6E1-5C6B08996ED7"}, {"criteria": "cpe:2.3:a:isc:bind:9.12.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F57F84D2-76D0-42B9-BA61-96204F527B7A"}, {"criteria": "cpe:2.3:a:isc:bind:9.12.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF6D296A-A353-4D4D-BAD7-38E02A7AF298"}, {"criteria": "cpe:2.3:a:isc:bind:9.12.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "440CFE40-C9B7-4E6E-800D-DD595F8FC38E"}, {"criteria": "cpe:2.3:a:isc:bind:9.12.1:p1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1E36C76-E5E0-42B9-ABF4-F71CE831A62B"}, {"criteria": "cpe:2.3:a:isc:bind:9.12.1:p2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5AE4CCD7-7825-4422-A972-E19984076091"}, {"criteria": "cpe:2.3:a:isc:bind:9.13.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D425D9A9-872D-444D-B5DA-74CB5F775FC6"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D"}], "operator": "OR"}]}], "sourceIdentifier": "security-officer@isc.org"}

5.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2018-5738

5.3^/10

5.0^/10

Attach tags to `CVE-2018-5738`