CVE-2018-5737

BIND 9.12's serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior, even if serve-stale is not enabled.

Description

A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off. Additionally, problematic interaction between the serve-stale feature and NSEC aggressive negative caching can in some cases cause undesirable behavior from named, such as a recursion loop or excessive logging. Deliberate exploitation of this condition could cause operational problems depending on the particular manifestation -- either degradation or denial of service. Affects BIND 9.12.0 and 9.12.1.

Remediation

Solution:

  • The error which can be exploited in this vulnerability is present in only two public release versions of BIND, 9.12.0 and 9.12.1. If you are running an affected version then upgrade to BIND 9.12.1-P2

Workaround:

  • Setting "max-stale-ttl 0;" in named.conf will prevent exploitation of this vulnerability (but will effectively disable the serve-stale feature.) Setting "stale-answer enable off;" is not sufficient to prevent exploitation, max-stale-ttl needs to be set to zero.

Category

5.9
CVSS
Severity: Medium
CVSS 3.0 •
CVSS 2.0 •
EPSS 0.91% Top 30%
Vendor Advisory isc.org
Affected: ISC BIND 9
Published at:
Updated at:

References

Link Tags
http://www.securityfocus.com/bid/104236 third party advisory vdb entry
https://kb.isc.org/docs/aa-01606 vendor advisory
http://www.securitytracker.com/id/1040942 third party advisory vdb entry
https://security.netapp.com/advisory/ntap-20180926-0004/ third party advisory

Frequently Asked Questions

What is the severity of CVE-2018-5737?
CVE-2018-5737 has been scored as a medium severity vulnerability.
How to fix CVE-2018-5737?
To fix CVE-2018-5737: The error which can be exploited in this vulnerability is present in only two public release versions of BIND, 9.12.0 and 9.12.1. If you are running an affected version then upgrade to BIND 9.12.1-P2
Is CVE-2018-5737 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2018-5737 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2018-5737?
CVE-2018-5737 affects ISC BIND 9.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.