CVE-2018-5741: Update policies krb5-subdomain and ms-subdomain do not enforce controls promised in their documentation
First published: Wed Sep 19 2018(Updated: )
To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ISC BIND | <9.11.5 | |
| ISC BIND | >=9.12.0<9.12.3 | |
| redhat/bind | <9.11.4 | 9.11.4 |
| redhat/bind | <9.12.2 | 9.12.2 |
| redhat/bind | <9.13.3 | 9.13.3 |
Remedy
At the time of public disclosure, ISC is not providing any code changing the behavior of the update-policy feature. While we believe that there are a few operators out there who are relying on the strictest interpretation permitted by the erroneous documentation, we have to balance that against changing the behavior of features in stable branches of BIND, including the 9.11 branch which is meant to be a feature-complete Extended Support Version of BIND 9. As a compromise between these conflicting priorities, we have decided that our best course of action is to disclose the error but leave the existing behavior of the krb5-subdomain and ms-subdomain policies as they are (while correcting the erroneous documentation). In maintenance releases issued during or after October 2018, the name field for ms-subdomain and krb5-subdomain will be corrected so that names lower than "." can be configured, and two new rule types will be added, krb5-selfsub and ms-selfsub, analogous to the existing selfsub rule type, which implement the behavior that was formerly described in the documentation for krb5-subdomain and ms-subdomain: restricting updates to names at or below the machine name encoded in the client's Windows or Kerberos principal.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
- http://www.securityfocus.com/bid/105379
- http://www.securitytracker.com/id/1041674
- https://access.redhat.com/errata/RHSA-2019:2057
- https://kb.isc.org/docs/cve-2018-5741
- https://security.gentoo.org/glsa/201903-13
- https://security.netapp.com/advisory/ntap-20190830-0001/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03927en_us
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1631132
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1631133
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908595
- https://gitlab.isc.org/isc-projects/bind9/commit/0268e42b4e5b83e1e5806caddd3b38e14735d739
- https://gitlab.isc.org/isc-projects/bind9/commit/0370d136673052dbe18e830182e73278bbba9c21
- https://gitlab.isc.org/isc-projects/bind9/commit/a3c5c2c29c46cba6d077364af86984fd5d1ebedd
- https://gitlab.isc.org/isc-projects/bind9/merge_requests/708
- https://ftp.isc.org/isc/bind9/9.13.2/doc/arm/Bv9ARM.ch05.html#dynamic_update_policies
- https://ftp.isc.org/isc/bind9/9.13.3/doc/arm/Bv9ARM.ch05.html#dynamic_update_policies
- https://gitlab.isc.org/isc-projects/bind9/issues/511
- https://gitlab.isc.org/isc-projects/bind9/merge_requests/732/diffs
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=457932
- https://access.redhat.com/security/cve/cve-2018-5741
- https://bugzilla.redhat.com/show_bug.cgi?id=1631131
Frequently Asked Questions
What is the severity of CVE-2018-5741?
The severity of CVE-2018-5741 is medium, with a severity value of 6.5.
How does CVE-2018-5741 affect BIND?
CVE-2018-5741 affects BIND versions 9.11.5 up to 9.12.3.
What is the update-policy feature in BIND?
The update-policy feature in BIND provides fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone.
How can I limit the types of updates performed by a client in BIND?
You can use the update-policy feature in BIND to configure various rules that limit the types of updates that can be performed by a client, depending on the key used when sending the update.
Where can I find more information about CVE-2018-5741?
You can find more information about CVE-2018-5741 at the following references: http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html, http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html, and http://www.securityfocus.com/bid/105379.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/references
- agent/weakness
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-5741
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/event
- agent/tags
- agent/first-publish-date
- vendor/isc
- canonical/isc bind
- version/isc bind/9.12.0
- package-manager/redhat