CVE-2018-5743: Limiting simultaneous TCP clients was ineffective
First published: Wed Oct 09 2019(Updated: )
By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, 9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -> 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| F5 Big-ip Local Traffic Manager | >=11.5.2<=11.6.5 | |
| F5 Big-ip Local Traffic Manager | >=12.1.0<=12.1.4 | |
| F5 Big-ip Local Traffic Manager | >=13.0.0<=13.1.1 | |
| F5 Big-ip Local Traffic Manager | >=14.0.0<=14.1.0 | |
| F5 Big-ip Local Traffic Manager | =15.0.0 | |
| F5 Big-ip Application Acceleration Manager | >=11.5.2<=11.6.5 | |
| F5 Big-ip Application Acceleration Manager | >=12.1.0<=12.1.4 | |
| F5 Big-ip Application Acceleration Manager | >=13.0.0<=13.1.1 | |
| F5 Big-ip Application Acceleration Manager | >=14.0.0<=14.1.0 | |
| F5 Big-ip Application Acceleration Manager | =15.0.0 | |
| F5 BIG-IP Advanced Firewall Manager | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Advanced Firewall Manager | >=12.1.0<=12.1.4 | |
| F5 BIG-IP Advanced Firewall Manager | >=13.1.0<=13.1.1 | |
| F5 BIG-IP Advanced Firewall Manager | >=14.0.0<=14.1.0 | |
| F5 BIG-IP Advanced Firewall Manager | =15.0.0 | |
| F5 BIG-IP Analytics | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Analytics | >=12.1.0<=12.1.4 | |
| F5 BIG-IP Analytics | >=13.0.0<=13.1.1 | |
| F5 BIG-IP Analytics | >=14.0.0<=14.1.0 | |
| F5 BIG-IP Analytics | =15.0.0 | |
| F5 BIG-IP Access Policy Manager | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Access Policy Manager | >=12.1.0<=12.1.4 | |
| F5 BIG-IP Access Policy Manager | >=13.1.0<=13.1.1 | |
| F5 BIG-IP Access Policy Manager | >=14.0.0<=14.1.0 | |
| F5 BIG-IP Access Policy Manager | =15.0.0 | |
| F5 BIG-IP Application Security Manager | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Application Security Manager | >=12.1.0<=12.1.4 | |
| F5 BIG-IP Application Security Manager | >=13.0.0<=13.1.1 | |
| F5 BIG-IP Application Security Manager | >=14.0.0<=14.1.1 | |
| F5 BIG-IP Application Security Manager | =15.0.0 | |
| F5 Big-ip Edge Gateway | >=11.5.2<=11.6.5 | |
| F5 Big-ip Edge Gateway | >=12.1.0<=12.1.4 | |
| F5 Big-ip Edge Gateway | >=13.0.0<=13.1.1 | |
| F5 Big-ip Edge Gateway | >=14.0.0<=14.1.0 | |
| F5 Big-ip Edge Gateway | =15.0.0 | |
| F5 Big-ip Fraud Protection Service | >=11.5.2<=11.6.5 | |
| F5 Big-ip Fraud Protection Service | >=12.1.0<=12.1.4 | |
| F5 Big-ip Fraud Protection Service | >=13.0.0<=13.1.1 | |
| F5 Big-ip Fraud Protection Service | >=14.0.0<=14.1.0 | |
| F5 Big-ip Fraud Protection Service | =15.0.0 | |
| F5 Big-ip Global Traffic Manager | >=11.5.2<=11.6.5 | |
| F5 Big-ip Global Traffic Manager | >=12.1.0<=12.1.4 | |
| F5 Big-ip Global Traffic Manager | >=13.0.0<=13.1.1 | |
| F5 Big-ip Global Traffic Manager | >=14.0.0<=14.1.0 | |
| F5 Big-ip Global Traffic Manager | =15.0.0 | |
| F5 Big-ip Link Controller | >=11.5.2<=11.6.5 | |
| F5 Big-ip Link Controller | >=12.1.0<=12.1.4 | |
| F5 Big-ip Link Controller | >=13.0.0<=13.1.1 | |
| F5 Big-ip Link Controller | >=14.0.0<=14.1.0 | |
| F5 Big-ip Link Controller | =15.0.0 | |
| F5 Big-ip Webaccelerator | >=11.5.2<=11.6.5 | |
| F5 Big-ip Webaccelerator | >=12.1.0<=12.1.4 | |
| F5 Big-ip Webaccelerator | >=13.1.0<=13.1.1 | |
| F5 Big-ip Webaccelerator | >=14.0.0<=14.1.0 | |
| F5 Big-ip Webaccelerator | =15.0.0 | |
| F5 Big-ip Policy Enforcement Manager | >=11.5.2<=11.6.5 | |
| F5 Big-ip Policy Enforcement Manager | >=12.1.0<=12.1.4 | |
| F5 Big-ip Policy Enforcement Manager | >=13.1.0<=13.1.1 | |
| F5 Big-ip Policy Enforcement Manager | >=14.0.0<=14.1.0 | |
| F5 Big-ip Policy Enforcement Manager | =15.0.0 | |
| ISC BIND | >=9.9.0<=9.10.8 | |
| ISC BIND | >=9.11.0<=9.11.6 | |
| ISC BIND | >=9.12.0<=9.12.4 | |
| ISC BIND | >=9.13.0<=9.13.7 | |
| ISC BIND | =9.9.3-s1 | |
| ISC BIND | =9.10.8-p1 | |
| ISC BIND | =9.11.5-s3 | |
| ISC BIND | =9.11.5-s5 | |
| ISC BIND | =9.14.0 | |
| F5 Enterprise Manager | =3.1.1 | |
| F5 BIG-IQ Centralized Management | >=5.0.0<=5.4.0 | |
| F5 BIG-IQ Centralized Management | >=6.0.0<=6.1.0 | |
| F5 iWorkflow | =2.3.0 | |
| F5 Big-ip Domain Name System | >=11.5.2<=11.6.5 | |
| F5 Big-ip Domain Name System | >=12.1.0<=12.1.4 | |
| F5 Big-ip Domain Name System | >=13.1.0<=13.1.1 | |
| F5 Big-ip Domain Name System | >=14.0.0<=14.1.0 | |
| F5 Big-ip Domain Name System | =15.0.0 | |
| debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.19-1 |
Remedy
Upgrade to a version of BIND containing a fix for the ineffective limits. + BIND 9.11.6-P1 + BIND 9.12.4-P1 + BIND 9.14.1 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. + BIND 9.11.5-S6 + BIND 9.11.6-S1
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://kb.isc.org/docs/cve-2018-5743
- https://support.f5.com/csp/article/K74009656?utm_source=f5support&utm_medium=RSS
- https://www.synology.com/security/advisory/Synology_SA_19_20
- https://gitlab.isc.org/isc-projects/bind9/commit/9689ffc485df8f971f0ad81ab8ab1f5389493776
- https://gitlab.isc.org/isc-projects/bind9/commit/55a7a458e30e47874d34bdf1079eb863a0512396
- https://gitlab.isc.org/isc-projects/bind9/commit/9446629b730c59c4215f08d37fbaf810282fbccb
- https://gitlab.isc.org/isc-projects/bind9/commit/87d431161450777ea093821212abfb52d51b36e3
- https://gitlab.isc.org/isc-projects/bind9/commit/13f7c918b8720d890408f678bd73c20e634539d9
- https://gitlab.isc.org/isc-projects/bind9/commit/d01023aaac35543daffbdf48464e320150235d41
- https://lists.isc.org/pipermail/bind-users/2019-April/101673.html
- https://gitlab.isc.org/isc-projects/bind9/merge_requests/1864.patch
- https://security-tracker.debian.org/tracker/CVE-2018-5743
- https://support.f5.com/csp/article/K74009656?utm_source=f5support&%3Butm_medium=RSS
- collector/nvd-index
- collector/security-tracker-debian
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/remedy
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/author
- agent/references
- agent/event
- agent/tags
- agent/first-publish-date
- agent/description
- vendor/f5
- canonical/f5 big-ip local traffic manager
- version/f5 big-ip local traffic manager/11.5.2
- version/f5 big-ip local traffic manager/11.6.5
- version/f5 big-ip local traffic manager/12.1.0
- version/f5 big-ip local traffic manager/12.1.4
- version/f5 big-ip local traffic manager/13.0.0
- version/f5 big-ip local traffic manager/13.1.1
- version/f5 big-ip local traffic manager/14.0.0
- version/f5 big-ip local traffic manager/14.1.0
- version/f5 big-ip local traffic manager/15.0.0
- canonical/f5 big-ip application acceleration manager
- version/f5 big-ip application acceleration manager/11.5.2
- version/f5 big-ip application acceleration manager/11.6.5
- version/f5 big-ip application acceleration manager/12.1.0
- version/f5 big-ip application acceleration manager/12.1.4
- version/f5 big-ip application acceleration manager/13.0.0
- version/f5 big-ip application acceleration manager/13.1.1
- version/f5 big-ip application acceleration manager/14.0.0
- version/f5 big-ip application acceleration manager/14.1.0
- version/f5 big-ip application acceleration manager/15.0.0
- canonical/f5 big-ip advanced firewall manager
- version/f5 big-ip advanced firewall manager/11.5.2
- version/f5 big-ip advanced firewall manager/11.6.5
- version/f5 big-ip advanced firewall manager/12.1.0
- version/f5 big-ip advanced firewall manager/12.1.4
- version/f5 big-ip advanced firewall manager/13.1.0
- version/f5 big-ip advanced firewall manager/13.1.1
- version/f5 big-ip advanced firewall manager/14.0.0
- version/f5 big-ip advanced firewall manager/14.1.0
- version/f5 big-ip advanced firewall manager/15.0.0
- canonical/f5 big-ip analytics
- version/f5 big-ip analytics/11.5.2
- version/f5 big-ip analytics/11.6.5
- version/f5 big-ip analytics/12.1.0
- version/f5 big-ip analytics/12.1.4
- version/f5 big-ip analytics/13.0.0
- version/f5 big-ip analytics/13.1.1
- version/f5 big-ip analytics/14.0.0
- version/f5 big-ip analytics/14.1.0
- version/f5 big-ip analytics/15.0.0
- canonical/f5 big-ip access policy manager
- version/f5 big-ip access policy manager/11.5.2
- version/f5 big-ip access policy manager/11.6.5
- version/f5 big-ip access policy manager/12.1.0
- version/f5 big-ip access policy manager/12.1.4
- version/f5 big-ip access policy manager/13.1.0
- version/f5 big-ip access policy manager/13.1.1
- version/f5 big-ip access policy manager/14.0.0
- version/f5 big-ip access policy manager/14.1.0
- version/f5 big-ip access policy manager/15.0.0
- canonical/f5 big-ip application security manager
- version/f5 big-ip application security manager/11.5.2
- version/f5 big-ip application security manager/11.6.5
- version/f5 big-ip application security manager/12.1.0
- version/f5 big-ip application security manager/12.1.4
- version/f5 big-ip application security manager/13.0.0
- version/f5 big-ip application security manager/13.1.1
- version/f5 big-ip application security manager/14.0.0
- version/f5 big-ip application security manager/14.1.1
- version/f5 big-ip application security manager/15.0.0
- canonical/f5 big-ip edge gateway
- version/f5 big-ip edge gateway/11.5.2
- version/f5 big-ip edge gateway/11.6.5
- version/f5 big-ip edge gateway/12.1.0
- version/f5 big-ip edge gateway/12.1.4
- version/f5 big-ip edge gateway/13.0.0
- version/f5 big-ip edge gateway/13.1.1
- version/f5 big-ip edge gateway/14.0.0
- version/f5 big-ip edge gateway/14.1.0
- version/f5 big-ip edge gateway/15.0.0
- canonical/f5 big-ip fraud protection service
- version/f5 big-ip fraud protection service/11.5.2
- version/f5 big-ip fraud protection service/11.6.5
- version/f5 big-ip fraud protection service/12.1.0
- version/f5 big-ip fraud protection service/12.1.4
- version/f5 big-ip fraud protection service/13.0.0
- version/f5 big-ip fraud protection service/13.1.1
- version/f5 big-ip fraud protection service/14.0.0
- version/f5 big-ip fraud protection service/14.1.0
- version/f5 big-ip fraud protection service/15.0.0
- canonical/f5 big-ip global traffic manager
- version/f5 big-ip global traffic manager/11.5.2
- version/f5 big-ip global traffic manager/11.6.5
- version/f5 big-ip global traffic manager/12.1.0
- version/f5 big-ip global traffic manager/12.1.4
- version/f5 big-ip global traffic manager/13.0.0
- version/f5 big-ip global traffic manager/13.1.1
- version/f5 big-ip global traffic manager/14.0.0
- version/f5 big-ip global traffic manager/14.1.0
- version/f5 big-ip global traffic manager/15.0.0
- canonical/f5 big-ip link controller
- version/f5 big-ip link controller/11.5.2
- version/f5 big-ip link controller/11.6.5
- version/f5 big-ip link controller/12.1.0
- version/f5 big-ip link controller/12.1.4
- version/f5 big-ip link controller/13.0.0
- version/f5 big-ip link controller/13.1.1
- version/f5 big-ip link controller/14.0.0
- version/f5 big-ip link controller/14.1.0
- version/f5 big-ip link controller/15.0.0
- canonical/f5 big-ip webaccelerator
- version/f5 big-ip webaccelerator/11.5.2
- version/f5 big-ip webaccelerator/11.6.5
- version/f5 big-ip webaccelerator/12.1.0
- version/f5 big-ip webaccelerator/12.1.4
- version/f5 big-ip webaccelerator/13.1.0
- version/f5 big-ip webaccelerator/13.1.1
- version/f5 big-ip webaccelerator/14.0.0
- version/f5 big-ip webaccelerator/14.1.0
- version/f5 big-ip webaccelerator/15.0.0
- canonical/f5 big-ip policy enforcement manager
- version/f5 big-ip policy enforcement manager/11.5.2
- version/f5 big-ip policy enforcement manager/11.6.5
- version/f5 big-ip policy enforcement manager/12.1.0
- version/f5 big-ip policy enforcement manager/12.1.4
- version/f5 big-ip policy enforcement manager/13.1.0
- version/f5 big-ip policy enforcement manager/13.1.1
- version/f5 big-ip policy enforcement manager/14.0.0
- version/f5 big-ip policy enforcement manager/14.1.0
- version/f5 big-ip policy enforcement manager/15.0.0
- vendor/isc
- canonical/isc bind
- version/isc bind/9.9.0
- version/isc bind/9.10.8
- version/isc bind/9.11.0
- version/isc bind/9.11.6
- version/isc bind/9.12.0
- version/isc bind/9.12.4
- version/isc bind/9.13.0
- version/isc bind/9.13.7
- version/isc bind/9.9.3-s1
- version/isc bind/9.10.8-p1
- version/isc bind/9.11.5-s3
- version/isc bind/9.11.5-s5
- version/isc bind/9.14.0
- canonical/f5 enterprise manager
- version/f5 enterprise manager/3.1.1
- canonical/f5 big-iq centralized management
- version/f5 big-iq centralized management/5.0.0
- version/f5 big-iq centralized management/5.4.0
- version/f5 big-iq centralized management/6.0.0
- version/f5 big-iq centralized management/6.1.0
- canonical/f5 iworkflow
- version/f5 iworkflow/2.3.0
- canonical/f5 big-ip domain name system
- version/f5 big-ip domain name system/11.5.2
- version/f5 big-ip domain name system/11.6.5
- version/f5 big-ip domain name system/12.1.0
- version/f5 big-ip domain name system/12.1.4
- version/f5 big-ip domain name system/13.1.0
- version/f5 big-ip domain name system/13.1.1
- version/f5 big-ip domain name system/14.0.0
- version/f5 big-ip domain name system/14.1.0
- version/f5 big-ip domain name system/15.0.0
- package-manager/debian