CVE-2018-5738

Some versions of BIND can improperly permit recursive query service to unauthorized clients

Description

Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the "allow-recursion" setting, it SHOULD default to one of the following: none, if "recursion no;" is set in named.conf; a value inherited from the "allow-query-cache" or "allow-query" settings IF "recursion yes;" (the default for that setting) AND match lists are explicitly set for "allow-query-cache" or "allow-query" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of "allow-recursion {localhost; localnets;};" if "recursion yes;" is in effect and no values are explicitly set for "allow-query-cache" or "allow-query". However, because of the regression introduced by change #4777, it is possible when "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query" for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition.

Remediation

Solution:

  • Future maintenance releases of BIND will correct the regression which introduced this issue but ISC does not believe that replacement security releases of BIND are required, given that several easy, safe, and completely effective configuration workarounds are available for any operators with affected configurations. However, an advance version of the patch diff which will be applied to future versions is available upon request to security-officer@isc.org and a correction for the behavior in question will debut in the release candidates for BIND 9.9.13, BIND 9.10.8, BIND 9.11.4, and BIND 9.12.2.

Workaround:

  • A number of configuration workarounds are available which completely avoid the problem. If an operator has not chosen to specify some other permission, explicitly specifying "allow-query {localnets; localhost;};" in named.conf will provide behavior equivalent to the intended default. If the default setting is not appropriate (because the operator wants a different behavior) then depending on which clients are intended to be able to receive service for recursive queries, explicitly setting a match list value for any of: allow-recursion allow-query allow-query-cache will prevent the "allow-recursion" control from improperly inheriting a setting from the allow-query default. If a value is set for any of those values the behavior of allow-recursion will be set directly or inherited from one of the other values as described in the BIND Adminstrator Reference Manual section 6.2. Servers which are not intended to perform recursion at all may also effectively prevent this condition by setting "recursion no;" in named.conf.

Category

5.3
CVSS
Severity: Medium
CVSS 3.0 •
CVSS 2.0 •
EPSS 1.79% Top 20%
Vendor Advisory ubuntu.com Vendor Advisory gentoo.org Vendor Advisory isc.org
Affected: ISC BIND 9
Published at:
Updated at:

References

Link Tags
https://usn.ubuntu.com/3683-1/ third party advisory vendor advisory
https://kb.isc.org/docs/aa-01616 mitigation vendor advisory
http://www.securitytracker.com/id/1041115 vdb entry third party advisory
https://security.gentoo.org/glsa/201903-13 third party advisory vendor advisory
https://security.netapp.com/advisory/ntap-20190830-0002/

Frequently Asked Questions

What is the severity of CVE-2018-5738?
CVE-2018-5738 has been scored as a medium severity vulnerability.
How to fix CVE-2018-5738?
To fix CVE-2018-5738: Future maintenance releases of BIND will correct the regression which introduced this issue but ISC does not believe that replacement security releases of BIND are required, given that several easy, safe, and completely effective configuration workarounds are available for any operators with affected configurations. However, an advance version of the patch diff which will be applied to future versions is available upon request to security-officer@isc.org and a correction for the behavior in question will debut in the release candidates for BIND 9.9.13, BIND 9.10.8, BIND 9.11.4, and BIND 9.12.2.
Is CVE-2018-5738 being actively exploited in the wild?
It is possible that CVE-2018-5738 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2018-5738?
CVE-2018-5738 affects ISC BIND 9.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.