The Internet Systems Consortium (ISC) has released security updates for its Berkeley Internet Name Domain (BIND), fixing vulnerabilities that if exploited could cause a denial of service condition.
The first issue, the high-severity CVE-2018-5743, addresses a flaw that does not limit the number of TCP clients that can be connected at any given time. The scenario can be created because the number of TCP connections is changeable and, if unset, is designed to default to the conservative value for the server. However, the code which was intended to limit the number of simultaneous connections contains an error which can be exploited to grow the number of simultaneous connections beyond this limit, creating a DoS condition.
Versions affected are BIND 9.9.0 to 9.10.8-P1, 9.11.0 to 9.11.6, 9.12.0 -to 9.12.4 and 9.14.0, and BIND 9 Supported Preview Edition versions 9.9.3-S1 to 9.11.5-S3 and 9.11.5-S5. Versions 9.13.0 to 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated.
The medium-rated CVE-2019-6467, covering BIND 9.12.0 to 9.12.4, 9.14.0 and all releases in the 9.13 development branch, covers “a programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally.” A successful exploit would see an attacker deliberately trigger the condition forcing BIND to exit thus denying service to others.
CVE-2019-6468, a medium-rated vulnerability, impacts BIND Supported Preview Edition versions 9.10.5-S1 to 9.11.5-S5, and centers on an error in the nxdomain-redirect feature in versions that support EDNS Client Subnet features. In these versions, enabling nxdomain-redirect is likely to lead to BIND exiting due to assertion failure.
ISC is recommending all users update to the latest version of BIND.