CVE-2018-5741

Update policies krb5-subdomain and ms-subdomain do not enforce controls promised in their documentation

Description

To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.

Remediation

Solution:

  • At the time of public disclosure, ISC is not providing any code changing the behavior of the update-policy feature. While we believe that there are a few operators out there who are relying on the strictest interpretation permitted by the erroneous documentation, we have to balance that against changing the behavior of features in stable branches of BIND, including the 9.11 branch which is meant to be a feature-complete Extended Support Version of BIND 9. As a compromise between these conflicting priorities, we have decided that our best course of action is to disclose the error but leave the existing behavior of the krb5-subdomain and ms-subdomain policies as they are (while correcting the erroneous documentation). In maintenance releases issued during or after October 2018, the name field for ms-subdomain and krb5-subdomain will be corrected so that names lower than "." can be configured, and two new rule types will be added, krb5-selfsub and ms-selfsub, analogous to the existing selfsub rule type, which implement the behavior that was formerly described in the documentation for krb5-subdomain and ms-subdomain: restricting updates to names at or below the machine name encoded in the client's Windows or Kerberos principal.

Workaround:

  • To limit updates to a subset of a zone -- for example, "sub.example.com" -- create a new "sub.example.com" child zone beneath "example.com", and set the desired update-policy in the child zone rather than the parent.

Category

6.5
CVSS
Severity: Medium
CVSS 3.0 •
CVSS 2.0 •
EPSS 0.46%
Vendor Advisory gentoo.org Vendor Advisory redhat.com Vendor Advisory opensuse.org Vendor Advisory opensuse.org Vendor Advisory isc.org
Affected: ISC BIND 9
Published at:
Updated at:

References

Link Tags
http://www.securityfocus.com/bid/105379 third party advisory vdb entry
http://www.securitytracker.com/id/1041674 third party advisory vdb entry
https://kb.isc.org/docs/cve-2018-5741 vendor advisory
https://security.gentoo.org/glsa/201903-13 third party advisory vendor advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03927en_us
https://access.redhat.com/errata/RHSA-2019:2057 vendor advisory
https://security.netapp.com/advisory/ntap-20190830-0001/
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html vendor advisory

Frequently Asked Questions

What is the severity of CVE-2018-5741?
CVE-2018-5741 has been scored as a medium severity vulnerability.
How to fix CVE-2018-5741?
To fix CVE-2018-5741: At the time of public disclosure, ISC is not providing any code changing the behavior of the update-policy feature. While we believe that there are a few operators out there who are relying on the strictest interpretation permitted by the erroneous documentation, we have to balance that against changing the behavior of features in stable branches of BIND, including the 9.11 branch which is meant to be a feature-complete Extended Support Version of BIND 9. As a compromise between these conflicting priorities, we have decided that our best course of action is to disclose the error but leave the existing behavior of the krb5-subdomain and ms-subdomain policies as they are (while correcting the erroneous documentation). In maintenance releases issued during or after October 2018, the name field for ms-subdomain and krb5-subdomain will be corrected so that names lower than "." can be configured, and two new rule types will be added, krb5-selfsub and ms-selfsub, analogous to the existing selfsub rule type, which implement the behavior that was formerly described in the documentation for krb5-subdomain and ms-subdomain: restricting updates to names at or below the machine name encoded in the client's Windows or Kerberos principal.
Is CVE-2018-5741 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2018-5741 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2018-5741?
CVE-2018-5741 affects ISC BIND 9.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.