CVE-2018-5743: Limiting simultaneous TCP clients was ineffective
First published: Wed Oct 09 2019(Updated: )
By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, 9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -> 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.19-1 | |
| F5 BIG-IP Local Traffic Manager | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Local Traffic Manager | >=12.1.0<=12.1.4 | |
| F5 BIG-IP Local Traffic Manager | >=13.0.0<=13.1.1 | |
| F5 BIG-IP Local Traffic Manager | >=14.0.0<=14.1.0 | |
| F5 BIG-IP Local Traffic Manager | =15.0.0 | |
| f5 big-ip application acceleration manager | >=11.5.2<=11.6.5 | |
| f5 big-ip application acceleration manager | >=12.1.0<=12.1.4 | |
| f5 big-ip application acceleration manager | >=13.0.0<=13.1.1 | |
| f5 big-ip application acceleration manager | >=14.0.0<=14.1.0 | |
| f5 big-ip application acceleration manager | =15.0.0 | |
| F5 BIG-IP Advanced Firewall Manager | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Advanced Firewall Manager | >=12.1.0<=12.1.4 | |
| F5 BIG-IP Advanced Firewall Manager | >=13.1.0<=13.1.1 | |
| F5 BIG-IP Advanced Firewall Manager | >=14.0.0<=14.1.0 | |
| F5 BIG-IP Advanced Firewall Manager | =15.0.0 | |
| F5 BIG-IP Analytics | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Analytics | >=12.1.0<=12.1.4 | |
| F5 BIG-IP Analytics | >=13.0.0<=13.1.1 | |
| F5 BIG-IP Analytics | >=14.0.0<=14.1.0 | |
| F5 BIG-IP Analytics | =15.0.0 | |
| F5 Access Policy Manager | >=11.5.2<=11.6.5 | |
| F5 Access Policy Manager | >=12.1.0<=12.1.4 | |
| F5 Access Policy Manager | >=13.1.0<=13.1.1 | |
| F5 Access Policy Manager | >=14.0.0<=14.1.0 | |
| F5 Access Policy Manager | =15.0.0 | |
| F5 Application Security Manager | >=11.5.2<=11.6.5 | |
| F5 Application Security Manager | >=12.1.0<=12.1.4 | |
| F5 Application Security Manager | >=13.0.0<=13.1.1 | |
| F5 Application Security Manager | >=14.0.0<=14.1.1 | |
| F5 Application Security Manager | =15.0.0 | |
| F5 BIG-IP Edge Gateway | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Edge Gateway | >=12.1.0<=12.1.4 | |
| F5 BIG-IP Edge Gateway | >=13.0.0<=13.1.1 | |
| F5 BIG-IP Edge Gateway | >=14.0.0<=14.1.0 | |
| F5 BIG-IP Edge Gateway | =15.0.0 | |
| F5 BIG-IP fraud protection services | >=11.5.2<=11.6.5 | |
| F5 BIG-IP fraud protection services | >=12.1.0<=12.1.4 | |
| F5 BIG-IP fraud protection services | >=13.0.0<=13.1.1 | |
| F5 BIG-IP fraud protection services | >=14.0.0<=14.1.0 | |
| F5 BIG-IP fraud protection services | =15.0.0 | |
| F5 BIG-IP Global Traffic Manager | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Global Traffic Manager | >=12.1.0<=12.1.4 | |
| F5 BIG-IP Global Traffic Manager | >=13.0.0<=13.1.1 | |
| F5 BIG-IP Global Traffic Manager | >=14.0.0<=14.1.0 | |
| F5 BIG-IP Global Traffic Manager | =15.0.0 | |
| F5 BIG-IP | >=11.5.2<=11.6.5 | |
| F5 BIG-IP | >=12.1.0<=12.1.4 | |
| F5 BIG-IP | >=13.0.0<=13.1.1 | |
| F5 BIG-IP | >=14.0.0<=14.1.0 | |
| F5 BIG-IP | =15.0.0 | |
| F5 BIG-IP WebAccelerator | >=11.5.2<=11.6.5 | |
| F5 BIG-IP WebAccelerator | >=12.1.0<=12.1.4 | |
| F5 BIG-IP WebAccelerator | >=13.1.0<=13.1.1 | |
| F5 BIG-IP WebAccelerator | >=14.0.0<=14.1.0 | |
| F5 BIG-IP WebAccelerator | =15.0.0 | |
| F5 BIG-IP Policy Enforcement Manager | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Policy Enforcement Manager | >=12.1.0<=12.1.4 | |
| F5 BIG-IP Policy Enforcement Manager | >=13.1.0<=13.1.1 | |
| F5 BIG-IP Policy Enforcement Manager | >=14.0.0<=14.1.0 | |
| F5 BIG-IP Policy Enforcement Manager | =15.0.0 | |
| ISC BIND | >=9.9.0<=9.10.8 | |
| ISC BIND | >=9.11.0<=9.11.6 | |
| ISC BIND | >=9.12.0<=9.12.4 | |
| ISC BIND | >=9.13.0<=9.13.7 | |
| ISC BIND | =9.9.3-s1 | |
| ISC BIND | =9.10.8-p1 | |
| ISC BIND | =9.11.5-s3 | |
| ISC BIND | =9.11.5-s5 | |
| ISC BIND | =9.14.0 | |
| F5 Enterprise Manager | =3.1.1 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=5.0.0<=5.4.0 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=6.0.0<=6.1.0 | |
| F5 iWorkflow | =2.3.0 | |
| f5 big-ip domain name system | >=11.5.2<=11.6.5 | |
| f5 big-ip domain name system | >=12.1.0<=12.1.4 | |
| f5 big-ip domain name system | >=13.1.0<=13.1.1 | |
| f5 big-ip domain name system | >=14.0.0<=14.1.0 | |
| f5 big-ip domain name system | =15.0.0 |
Remedy
Upgrade to a version of BIND containing a fix for the ineffective limits. + BIND 9.11.6-P1 + BIND 9.12.4-P1 + BIND 9.14.1 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. + BIND 9.11.5-S6 + BIND 9.11.6-S1
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://kb.isc.org/docs/cve-2018-5743
- https://support.f5.com/csp/article/K74009656?utm_source=f5support&utm_medium=RSS
- https://www.synology.com/security/advisory/Synology_SA_19_20
- https://gitlab.isc.org/isc-projects/bind9/commit/9689ffc485df8f971f0ad81ab8ab1f5389493776
- https://gitlab.isc.org/isc-projects/bind9/commit/55a7a458e30e47874d34bdf1079eb863a0512396
- https://gitlab.isc.org/isc-projects/bind9/commit/9446629b730c59c4215f08d37fbaf810282fbccb
- https://gitlab.isc.org/isc-projects/bind9/commit/87d431161450777ea093821212abfb52d51b36e3
- https://gitlab.isc.org/isc-projects/bind9/commit/13f7c918b8720d890408f678bd73c20e634539d9
- https://gitlab.isc.org/isc-projects/bind9/commit/d01023aaac35543daffbdf48464e320150235d41
- https://lists.isc.org/pipermail/bind-users/2019-April/101673.html
- https://gitlab.isc.org/isc-projects/bind9/merge_requests/1864.patch
- https://security-tracker.debian.org/tracker/CVE-2018-5743
- https://support.f5.com/csp/article/K74009656?utm_source=f5support&%3Butm_medium=RSS
Frequently Asked Questions
What is the severity of CVE-2018-5743?
CVE-2018-5743 has been assigned a medium severity rating due to its potential impact on TCP connections in BIND.
How do I fix CVE-2018-5743?
To fix CVE-2018-5743, update to a patched version of BIND, specifically 9.11.6 or later.
Which software versions are affected by CVE-2018-5743?
CVE-2018-5743 affects several versions of BIND, particularly versions between 9.9.0 and 9.13.7.
What are the potential consequences of exploiting CVE-2018-5743?
Exploitation of CVE-2018-5743 could lead to denial of service conditions due to excessive TCP connection attempts.
Is there a workaround for CVE-2018-5743 until I can update?
A potential workaround for CVE-2018-5743 is to manually configure the maximum number of TCP connections in BIND.
- collector/security-tracker-debian
- agent/type
- agent/title
- agent/remedy
- agent/weakness
- agent/severity
- agent/author
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- package-manager/debian
- vendor/f5
- canonical/f5 big-ip local traffic manager
- version/f5 big-ip local traffic manager/11.5.2
- version/f5 big-ip local traffic manager/11.6.5
- version/f5 big-ip local traffic manager/12.1.0
- version/f5 big-ip local traffic manager/12.1.4
- version/f5 big-ip local traffic manager/13.0.0
- version/f5 big-ip local traffic manager/13.1.1
- version/f5 big-ip local traffic manager/14.0.0
- version/f5 big-ip local traffic manager/14.1.0
- version/f5 big-ip local traffic manager/15.0.0
- canonical/f5 big-ip application acceleration manager
- version/f5 big-ip application acceleration manager/11.5.2
- version/f5 big-ip application acceleration manager/11.6.5
- version/f5 big-ip application acceleration manager/12.1.0
- version/f5 big-ip application acceleration manager/12.1.4
- version/f5 big-ip application acceleration manager/13.0.0
- version/f5 big-ip application acceleration manager/13.1.1
- version/f5 big-ip application acceleration manager/14.0.0
- version/f5 big-ip application acceleration manager/14.1.0
- version/f5 big-ip application acceleration manager/15.0.0
- canonical/f5 big-ip advanced firewall manager
- version/f5 big-ip advanced firewall manager/11.5.2
- version/f5 big-ip advanced firewall manager/11.6.5
- version/f5 big-ip advanced firewall manager/12.1.0
- version/f5 big-ip advanced firewall manager/12.1.4
- version/f5 big-ip advanced firewall manager/13.1.0
- version/f5 big-ip advanced firewall manager/13.1.1
- version/f5 big-ip advanced firewall manager/14.0.0
- version/f5 big-ip advanced firewall manager/14.1.0
- version/f5 big-ip advanced firewall manager/15.0.0
- canonical/f5 big-ip analytics
- version/f5 big-ip analytics/11.5.2
- version/f5 big-ip analytics/11.6.5
- version/f5 big-ip analytics/12.1.0
- version/f5 big-ip analytics/12.1.4
- version/f5 big-ip analytics/13.0.0
- version/f5 big-ip analytics/13.1.1
- version/f5 big-ip analytics/14.0.0
- version/f5 big-ip analytics/14.1.0
- version/f5 big-ip analytics/15.0.0
- canonical/f5 access policy manager
- version/f5 access policy manager/11.5.2
- version/f5 access policy manager/11.6.5
- version/f5 access policy manager/12.1.0
- version/f5 access policy manager/12.1.4
- version/f5 access policy manager/13.1.0
- version/f5 access policy manager/13.1.1
- version/f5 access policy manager/14.0.0
- version/f5 access policy manager/14.1.0
- version/f5 access policy manager/15.0.0
- canonical/f5 application security manager
- version/f5 application security manager/11.5.2
- version/f5 application security manager/11.6.5
- version/f5 application security manager/12.1.0
- version/f5 application security manager/12.1.4
- version/f5 application security manager/13.0.0
- version/f5 application security manager/13.1.1
- version/f5 application security manager/14.0.0
- version/f5 application security manager/14.1.1
- version/f5 application security manager/15.0.0
- canonical/f5 big-ip edge gateway
- version/f5 big-ip edge gateway/11.5.2
- version/f5 big-ip edge gateway/11.6.5
- version/f5 big-ip edge gateway/12.1.0
- version/f5 big-ip edge gateway/12.1.4
- version/f5 big-ip edge gateway/13.0.0
- version/f5 big-ip edge gateway/13.1.1
- version/f5 big-ip edge gateway/14.0.0
- version/f5 big-ip edge gateway/14.1.0
- version/f5 big-ip edge gateway/15.0.0
- canonical/f5 big-ip fraud protection services
- version/f5 big-ip fraud protection services/11.5.2
- version/f5 big-ip fraud protection services/11.6.5
- version/f5 big-ip fraud protection services/12.1.0
- version/f5 big-ip fraud protection services/12.1.4
- version/f5 big-ip fraud protection services/13.0.0
- version/f5 big-ip fraud protection services/13.1.1
- version/f5 big-ip fraud protection services/14.0.0
- version/f5 big-ip fraud protection services/14.1.0
- version/f5 big-ip fraud protection services/15.0.0
- canonical/f5 big-ip global traffic manager
- version/f5 big-ip global traffic manager/11.5.2
- version/f5 big-ip global traffic manager/11.6.5
- version/f5 big-ip global traffic manager/12.1.0
- version/f5 big-ip global traffic manager/12.1.4
- version/f5 big-ip global traffic manager/13.0.0
- version/f5 big-ip global traffic manager/13.1.1
- version/f5 big-ip global traffic manager/14.0.0
- version/f5 big-ip global traffic manager/14.1.0
- version/f5 big-ip global traffic manager/15.0.0
- canonical/f5 big-ip
- version/f5 big-ip/11.5.2
- version/f5 big-ip/11.6.5
- version/f5 big-ip/12.1.0
- version/f5 big-ip/12.1.4
- version/f5 big-ip/13.0.0
- version/f5 big-ip/13.1.1
- version/f5 big-ip/14.0.0
- version/f5 big-ip/14.1.0
- version/f5 big-ip/15.0.0
- canonical/f5 big-ip webaccelerator
- version/f5 big-ip webaccelerator/11.5.2
- version/f5 big-ip webaccelerator/11.6.5
- version/f5 big-ip webaccelerator/12.1.0
- version/f5 big-ip webaccelerator/12.1.4
- version/f5 big-ip webaccelerator/13.1.0
- version/f5 big-ip webaccelerator/13.1.1
- version/f5 big-ip webaccelerator/14.0.0
- version/f5 big-ip webaccelerator/14.1.0
- version/f5 big-ip webaccelerator/15.0.0
- canonical/f5 big-ip policy enforcement manager
- version/f5 big-ip policy enforcement manager/11.5.2
- version/f5 big-ip policy enforcement manager/11.6.5
- version/f5 big-ip policy enforcement manager/12.1.0
- version/f5 big-ip policy enforcement manager/12.1.4
- version/f5 big-ip policy enforcement manager/13.1.0
- version/f5 big-ip policy enforcement manager/13.1.1
- version/f5 big-ip policy enforcement manager/14.0.0
- version/f5 big-ip policy enforcement manager/14.1.0
- version/f5 big-ip policy enforcement manager/15.0.0
- vendor/isc
- canonical/isc bind
- version/isc bind/9.9.0
- version/isc bind/9.10.8
- version/isc bind/9.11.0
- version/isc bind/9.11.6
- version/isc bind/9.12.0
- version/isc bind/9.12.4
- version/isc bind/9.13.0
- version/isc bind/9.13.7
- version/isc bind/9.9.3-s1
- version/isc bind/9.10.8-p1
- version/isc bind/9.11.5-s3
- version/isc bind/9.11.5-s5
- version/isc bind/9.14.0
- canonical/f5 enterprise manager
- version/f5 enterprise manager/3.1.1
- canonical/f5 big-ip and big-iq centralized management
- version/f5 big-ip and big-iq centralized management/5.0.0
- version/f5 big-ip and big-iq centralized management/5.4.0
- version/f5 big-ip and big-iq centralized management/6.0.0
- version/f5 big-ip and big-iq centralized management/6.1.0
- canonical/f5 iworkflow
- version/f5 iworkflow/2.3.0
- canonical/f5 big-ip domain name system
- version/f5 big-ip domain name system/11.5.2
- version/f5 big-ip domain name system/11.6.5
- version/f5 big-ip domain name system/12.1.0
- version/f5 big-ip domain name system/12.1.4
- version/f5 big-ip domain name system/13.1.0
- version/f5 big-ip domain name system/13.1.1
- version/f5 big-ip domain name system/14.0.0
- version/f5 big-ip domain name system/14.1.0
- version/f5 big-ip domain name system/15.0.0