Vulnerabilities > CVE-2018-5738 - Information Exposure vulnerability in multiple products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
isc
canonical
CWE-200
nessus

Summary

Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the "allow-recursion" setting, it SHOULD default to one of the following: none, if "recursion no;" is set in named.conf; a value inherited from the "allow-query-cache" or "allow-query" settings IF "recursion yes;" (the default for that setting) AND match lists are explicitly set for "allow-query-cache" or "allow-query" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of "allow-recursion {localhost; localnets;};" if "recursion yes;" is in effect and no values are explicitly set for "allow-query-cache" or "allow-query". However, because of the regression introduced by change #4777, it is possible when "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query" for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2321.NASL
    descriptionAccording to the versions of the bind packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the
    last seen2020-06-01
    modified2020-06-02
    plugin id131486
    published2019-12-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131486
    titleEulerOS Virtualization for ARM 64 3.0.3.0 : bind (EulerOS-SA-2019-2321)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131486);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/10");
    
      script_cve_id(
        "CVE-2018-5738",
        "CVE-2018-5745",
        "CVE-2019-6465"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.3.0 : bind (EulerOS-SA-2019-2321)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the bind packages installed, the EulerOS
    Virtualization for ARM 64 installation on the remote host is affected
    by the following vulnerabilities :
    
      - Change #4777 (introduced in October 2017) introduced an
        unforeseen issue in releases which were issued after
        that date, affecting which clients are permitted to
        make recursive queries to a BIND nameserver. The
        intended (and documented) behavior is that if an
        operator has not specified a value for the
        'allow-recursion' setting, it SHOULD default to one of
        the following: none, if 'recursion no' is set in
        named.conf a value inherited from the
        'allow-query-cache' or 'allow-query' settings IF
        'recursion yes' (the default for that setting) AND
        match lists are explicitly set for 'allow-query-cache'
        or 'allow-query' (see the BIND9 Administrative
        Reference Manual section 6.2 for more details) or the
        intended default of 'allow-recursion {localhost
        localnets}' if 'recursion yes' is in effect and no
        values are explicitly set for 'allow-query-cache' or
        'allow-query'. However, because of the regression
        introduced by change #4777, it is possible when
        'recursion yes' is in effect and no match list values
        are provided for 'allow-query-cache' or 'allow-query'
        for the setting of 'allow-recursion' to inherit a
        setting of all hosts from the 'allow-query' setting
        default, improperly permitting recursion to all
        clients. Affects BIND 9.9.12, 9.10.7, 9.11.3,
        9.12.0->9.12.1-P2, the development release 9.13.0, and
        also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and
        9.11.3-S2 from BIND 9 Supported Preview
        Edition.(CVE-2018-5738)
    
      - Controls for zone transfers may not be properly applied
        to Dynamically Loadable Zones (DLZs) if the zones are
        writable Versions affected: BIND 9.9.0 -> 9.10.8-P1,
        9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions
        9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview
        Edition. Versions 9.13.0 -> 9.13.6 of the 9.13
        development branch are also affected. Versions prior to
        BIND 9.9.0 have not been evaluated for vulnerability to
        CVE-2019-6465.(CVE-2019-6465)
    
      - 'managed-keys' is a feature which allows a BIND
        resolver to automatically maintain the keys used by
        trust anchors which operators configure for use in
        DNSSEC validation. Due to an error in the managed-keys
        feature it is possible for a BIND server which uses
        managed-keys to exit due to an assertion failure if,
        during key rollover, a trust anchor's keys are replaced
        with keys which use an unsupported algorithm. Versions
        affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1,
        9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3
        of BIND 9 Supported Preview Edition. Versions 9.13.0 ->
        9.13.6 of the 9.13 development branch are also
        affected. Versions prior to BIND 9.9.0 have not been
        evaluated for vulnerability to
        CVE-2018-5745.(CVE-2018-5745)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2321
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b3f1b816");
      script_set_attribute(attribute:"solution", value:
    "Update the affected bind packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/03");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bind-export-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bind-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bind-libs-lite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bind-license");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bind-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-bind");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.3.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.3.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.3.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["bind-export-libs-9.11.4-10.P2.h12.eulerosv2r8",
            "bind-libs-9.11.4-10.P2.h12.eulerosv2r8",
            "bind-libs-lite-9.11.4-10.P2.h12.eulerosv2r8",
            "bind-license-9.11.4-10.P2.h12.eulerosv2r8",
            "bind-utils-9.11.4-10.P2.h12.eulerosv2r8",
            "python3-bind-9.11.4-10.P2.h12.eulerosv2r8"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bind");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3683-1.NASL
    descriptionAndrew Skalski discovered that Bind could incorrectly enable recursion when the
    last seen2020-06-01
    modified2020-06-02
    plugin id110532
    published2018-06-14
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110532
    titleUbuntu 18.04 LTS : bind9 vulnerability (USN-3683-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3683-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110532);
      script_version("1.4");
      script_cvs_date("Date: 2019/09/18 12:31:48");
    
      script_cve_id("CVE-2018-5738");
      script_xref(name:"USN", value:"3683-1");
    
      script_name(english:"Ubuntu 18.04 LTS : bind9 vulnerability (USN-3683-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Andrew Skalski discovered that Bind could incorrectly enable recursion
    when the 'allow-recursion' setting wasn't specified. This issue could
    improperly permit recursion to all clients, contrary to expectations.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3683-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected bind9 package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:bind9");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 18.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"18.04", pkgname:"bind9", pkgver:"1:9.11.3+dfsg-1ubuntu1.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bind9");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-5417CA3713.NASL
    descriptionUpdate to last security release - Fixes CVE-2018-5738 - Adds root key sentinel mechanism support - incremental zone transfer limit to prevent journal corruption - rndc reload memory leak Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120429
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120429
    titleFedora 28 : 32:bind (2018-5417ca3713)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2018-5417ca3713.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(120429);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-5738", "CVE-2018-5740");
      script_xref(name:"FEDORA", value:"2018-5417ca3713");
    
      script_name(english:"Fedora 28 : 32:bind (2018-5417ca3713)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Update to last security release
    
      - Fixes CVE-2018-5738
    
      - Adds root key sentinel mechanism support
    
      - incremental zone transfer limit to prevent journal
        corruption
    
      - rndc reload memory leak
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-5417ca3713"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 32:bind package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:32:bind");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:28");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/08/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^28([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 28", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC28", reference:"bind-9.11.4-5.P1.fc28", epoch:"32")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "32:bind");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201903-13.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201903-13 (BIND: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in BIND. Please review the CVE identifiers referenced below for details. Impact : BIND can improperly permit recursive query service to unauthorized clients possibly resulting in a Denial of Service condition or to be used in DNS reflection attacks. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id122835
    published2019-03-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122835
    titleGLSA-201903-13 : BIND: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201903-13.
    #
    # The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122835);
      script_version("1.2");
      script_cvs_date("Date: 2020/02/05");
    
      script_cve_id("CVE-2018-5738", "CVE-2018-5740", "CVE-2018-5741");
      script_xref(name:"GLSA", value:"201903-13");
    
      script_name(english:"GLSA-201903-13 : BIND: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201903-13
    (BIND: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in BIND. Please review the
          CVE identifiers referenced below for details.
      
    Impact :
    
        BIND can improperly permit recursive query service to unauthorized
          clients possibly resulting in a Denial of Service condition or to be used
          in DNS reflection attacks.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201903-13"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All bind users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=net-dns/bind-9.12.1_p2-r1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:bind");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/03/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-dns/bind", unaffected:make_list("ge 9.12.1_p2-r1"), vulnerable:make_list("lt 9.12.1_p2-r1"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "BIND");
    }
    
  • NASL familyDNS
    NASL idBIND9_CVE-2018-5738.NASL
    descriptionAccording to its self-reported version, the instance of ISC BIND 9 running on the remote name server is 9.9.12, 9.10.7, 9.11.3, 9.12.0 prior to or equal to 9.12.1-P2, development release 9.13.0, 9.9.12-S1, 9.11.3-S1, or 9.11.3-S2. It is, therefore, affected by an allow-recursion vulnerability which exists in the named.conf due to a regression issue introduced by change #4777. An unauthenticated, remote attacker can exploit this to cause undesirable behavior such as a degradation or denial of service, DNS reflection attacks, or potentially leak private information about what queries have been performed.
    last seen2020-06-01
    modified2020-06-02
    plugin id122240
    published2019-02-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122240
    titleISC BIND Allow-Recursion Vulnerability
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122240);
      script_version("1.3");
      script_cvs_date("Date: 2019/10/31 15:18:51");
    
      script_cve_id("CVE-2018-5738");
    
      script_name(english:"ISC BIND Allow-Recursion Vulnerability");
      script_summary(english:"Checks the version of BIND.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote name server is affected by an allow-recursion vulnerability.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, the instance of ISC BIND 9
    running on the remote name server is 9.9.12, 9.10.7, 9.11.3, 9.12.0
    prior to or equal to 9.12.1-P2, development release 9.13.0, 9.9.12-S1,
    9.11.3-S1, or 9.11.3-S2.  It is, therefore, affected by an allow-recursion
    vulnerability which exists in the named.conf due to a regression issue
    introduced by change #4777.
    
    An unauthenticated, remote attacker can exploit this to cause
    undesirable behavior such as a degradation or denial of service,
    DNS reflection attacks, or potentially leak private information
    about what queries have been performed.");
      script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/docs/AA-01616");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to ISC BIND version 9.9.13 / 9.10.8 / 9.11.4 / 9.12.2  
    or later or apply the workaround as per the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-5738");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/15");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:isc:bind");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"DNS");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("bind_version.nasl");
      script_require_keys("bind/version", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("vcf.inc");
    include("vcf_extras.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID); # patch can be applied
    
    vcf::bind::initialize();
    
    app_info = vcf::get_app_info(app:"BIND", port:53, kb_ver:"bind/version", service:TRUE, proto:"UDP");
    
    constraints = [
      { "min_version" : "9.9.12", "fixed_version" : "9.9.13" },
      { "min_version" : "9.10.7", "fixed_version" : "9.10.8" },
      { "min_version" : "9.11.3", "fixed_version" : "9.11.4" },
      { "min_version" : "9.12.0", "max_version" : "9.12.1-P2", "fixed_version" : "9.12.2" },
      { "min_version" : "9.9.12-S1", "fixed_version" : "9.9.13" },
      { "min_version" : "9.10.7-S1", "fixed_version" : "9.10.8" },
      { "min_version" : "9.11.3-S1", "max_version" : "9.11.3-S2", "fixed_version" : "9.12.2" },
    ];
    constraints = vcf::bind::filter_constraints(constraints:constraints, version:app_info.version);
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-C0F12F789E.NASL
    descriptionUpdate to bind 9.11.4 ---- - Fix CVE-2018-5738 - Remove named.iscdlv.key - Make home writeable - Use invalid shell /bin/false for bind Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-08-02
    plugin id111476
    published2018-08-02
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111476
    titleFedora 27 : 32:bind / bind-dyndb-ldap / dnsperf (2018-c0f12f789e)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2018-c0f12f789e.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111476);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-5738");
      script_xref(name:"FEDORA", value:"2018-c0f12f789e");
    
      script_name(english:"Fedora 27 : 32:bind / bind-dyndb-ldap / dnsperf (2018-c0f12f789e)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Update to bind 9.11.4
    
    ----
    
      - Fix CVE-2018-5738
    
      - Remove named.iscdlv.key
    
      - Make home writeable
    
      - Use invalid shell /bin/false for bind
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-c0f12f789e"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected 32:bind, bind-dyndb-ldap and / or dnsperf
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:32:bind");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:bind-dyndb-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:dnsperf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC27", reference:"bind-9.11.4-1.fc27", epoch:"32")) flag++;
    if (rpm_check(release:"FC27", reference:"bind-dyndb-ldap-11.1-12.fc27")) flag++;
    if (rpm_check(release:"FC27", reference:"dnsperf-2.1.0.0-17.fc27")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "32:bind / bind-dyndb-ldap / dnsperf");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-BFEC61FB2F.NASL
    description - Fix CVE-2018-5738 - Remove named.iscdlv.key Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120758
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120758
    titleFedora 28 : 32:bind (2018-bfec61fb2f)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-90F8FBD58E.NASL
    descriptionUpdate to 9.11.4-P1 - Fixes CVE-2018-5738 - Adds root key sentinel mechanism support - incremental zone transfer limit to prevent journal corruption - rndc reload memory leak Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-08-23
    plugin id112068
    published2018-08-23
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112068
    titleFedora 27 : 32:bind (2018-90f8fbd58e)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2018-192-01.NASL
    descriptionNew bind packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id111035
    published2018-07-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111035
    titleSlackware 14.0 / 14.1 / 14.2 / current : bind (SSA:2018-192-01)