CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
Michael McNally
mcnally at isc.org
Thu Apr 25 01:21:30 UTC 2019
CVE: CVE-2018-5743
Document version: 2.0
Posting date: 24 April 2019
Program impacted: BIND
Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6,
9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview
Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5.
Versions 9.13.0 -> 9.13.7 of the 9.13 development
branch
are also affected. Versions prior to BIND 9.9.0
have not
been evaluated for vulnerability to CVE-2018-5743.
Severity: High
Exploitable: Remotely
Description:
By design, BIND is intended to limit the number of TCP clients
that can be connected at any given time. The number of allowed
connections is a tunable parameter which, if unset, defaults to
a conservative value for most servers. Unfortunately, the code
which was intended to limit the number of simultaneous connections
contains an error which can be exploited to grow the number of
simultaneous connections beyond this limit.
Impact:
By exploiting the failure to limit simultaneous TCP connections,
an attacker can deliberately exhaust the pool of file descriptors
available to named, potentially affecting network connections
and the management of files such as log files or zone journal
files.
In cases where the named process is not limited by OS-enforced
per-process limits, this could additionally potentially lead to
exhaustion of all available free file descriptors on that system.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Workarounds:
None.
Active exploits:
No known deliberate exploits, but the situation may occur
accidentally on busy servers.
It is possible for operators to mistakenly believe that their
configured (or default) limit is sufficient for their typical
operations, when in fact it is not. Following an upgrade to a
version that effectively applies limits, named may deny connections
which were previously improperly permitted. Operators can monitor
their logs for rejected connections, keep an eye on "rndc status"
reports of simultaneous connections, or use other tools to monitor
whether the now-effective limits are causing problems for
legitimate clients. Should this be the case, increasing the value
of the tcp-clients setting in named.conf to an appropriate value
would be recommended.
Solution:
Upgrade to a version of BIND containing a fix for the ineffective
limits.
- BIND 9.11.6-P1
- BIND 9.12.4-P1
- BIND 9.14.1
BIND Supported Preview Edition is a special feature preview
branch of BIND provided to eligible ISC support customers.
- BIND 9.11.5-S6
- BIND 9.11.6-S1
Acknowledgements:
ISC would like to thank AT&T for helping us to discover this
issue.
Document revision history:
1.0 Advance Notification, 16 January 2019
1.1 Recall due to error in original fix, 17 January 2019
1.3 Replacement fix delivered to Advance Notification customers, 15
April 2019
1.4 Corrected Versions affected and Solution, 16 April 2019
1.5 Added reference to BIND 9.11.6-S1
2.0 Public disclosure, 24 April 2019
Related documents:
See our BIND 9 Security Vulnerability Matrix for a complete
listing of security vulnerabilities and versions affected.
Do you still have questions? Questions regarding this advisory
should go to security-officer at isc.org. To report a new issue, please
encrypt your message using security-officer at isc.org's PGP key which
can be found here:
https://www.isc.org/downloads/software-support-policy/openpgp-key
If you are unable to use encrypted email, you may also report new
issues at: https://www.isc.org/community/report-bug/.
Note:
ISC patches only currently supported versions. When possible we
indicate EOL versions affected. (For current information on which
versions are actively supported, please see
https://www.isc.org/downloads/.)
ISC Security Vulnerability Disclosure Policy:
Details of our current security advisory policy and practice can
be found in the ISC Software Defect and Security Vulnerability
Disclosure Policy.
Legal Disclaimer:
Internet Systems Consortium (ISC) is providing this notice on
an "AS IS" basis. No warranty or guarantee of any kind is expressed
in this notice and none should be implied. ISC expressly excludes
and disclaims any warranties regarding this notice or materials
referred to in this notice, including, without limitation, any
implied warranty of merchantability, fitness for a particular
purpose, absence of hidden defects, or of non-infringement. Your
use or reliance on this notice or materials referred to in this
notice is at your own risk. ISC may change this notice at any
time. A stand-alone copy or paraphrase of the text of this
document that omits the document URL is an uncontrolled copy.
Uncontrolled copies may lack important information, be out of
date, or contain factual errors.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 13079 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-announce/attachments/20190424/ed60ca46/attachment.bin>
More information about the bind-announce
mailing list