BIND: CVE-2018-5743: Limiting simultaneous TCP clients is ineffective

[icecream-guy]

CVE:                 CVE-2018-5743
Document version:    2.0
Posting date:        24 April 2019
Program impacted:    BIND
Versions affected:   BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6,
                     9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview
                     Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5.
                     Versions 9.13.0 -> 9.13.7 of the 9.13 development branch
                     are also affected. Versions prior to BIND 9.9.0 have not
                     been evaluated for vulnerability to CVE-2018-5743.
Severity:            High
Exploitable:         Remotely

Description:

   By design, BIND is intended to limit the number of TCP clients
   that can be connected at any given time. The number of allowed
   connections is a tunable parameter which, if unset, defaults to
   a conservative value for most servers. Unfortunately, the code
   which was intended to limit the number of simultaneous connections
   contains an error which can be exploited to grow the number of
   simultaneous connections beyond this limit.

Impact:

   By exploiting the failure to limit simultaneous TCP connections,
   an attacker can deliberately exhaust the pool of file descriptors
   available to named, potentially affecting network connections
   and the management of files such as log files or zone journal
   files.

   In cases where the named process is not limited by OS-enforced
   per-process limits, this could additionally potentially lead to
   exhaustion of all available free file descriptors on that system.

CVSS Score:          7.5
CVSS Vector:         CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Workarounds:

   None.

Active exploits:

   No known deliberate exploits, but the situation may occur
   accidentally on busy servers.

   It is possible for operators to mistakenly believe that their
   configured (or default) limit is sufficient for their typical
   operations, when in fact it is not. Following an upgrade to a
   version that effectively applies limits, named may deny connections
   which were previously improperly permitted. Operators can monitor
   their logs for rejected connections, keep an eye on "rndc status"
   reports of simultaneous connections, or use other tools to monitor
   whether the now-effective limits are causing problems for
   legitimate clients. Should this be the case, increasing the value
   of the tcp-clients setting in named.conf to an appropriate value
   would be recommended.

Solution:

   Upgrade to a version of BIND containing a fix for the ineffective
   limits.

   -  BIND 9.11.6-P1
   -  BIND 9.12.4-P1
   -  BIND 9.14.1

   BIND Supported Preview Edition is a special feature preview
   branch of BIND provided to eligible ISC support customers.

   -  BIND 9.11.5-S6
   -  BIND 9.11.6-S1

Acknowledgements:

   ISC would like to thank AT&T for helping us to discover this
   issue.

Document revision history:

   1.0 Advance Notification, 16 January 2019
   1.1 Recall due to error in original fix, 17 January 2019
   1.3 Replacement fix delivered to Advance Notification customers, 15 April 2019
   1.4 Corrected Versions affected and Solution, 16 April 2019
   1.5 Added reference to BIND 9.11.6-S1
   2.0 Public disclosure, 24 April 2019

Related documents:

   See our BIND 9 Security Vulnerability Matrix for a complete
   listing of security vulnerabilities and versions affected.

Do you still have questions? Questions regarding this advisory should go to security-officer@isc.org. To report a new issue, please encrypt your message using security-officer@isc.org's PGP key which can be found here:
   https://www.isc.org/downloads/software-support-policy/openpgp-key
If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/community/report-bug/.

Note:

   ISC patches only currently supported versions. When possible we
   indicate EOL versions affected. (For current information on which
   versions are actively supported, please see
   https://www.isc.org/downloads/.)

ISC Security Vulnerability Disclosure Policy:

   Details of our current security advisory policy and practice can
   be found in the ISC Software Defect and Security Vulnerability
   Disclosure Policy.

Legal Disclaimer:

   Internet Systems Consortium (ISC) is providing this notice on
   an "AS IS" basis. No warranty or guarantee of any kind is expressed
   in this notice and none should be implied. ISC expressly excludes
   and disclaims any warranties regarding this notice or materials
   referred to in this notice, including, without limitation, any
   implied warranty of merchantability, fitness for a particular
   purpose, absence of hidden defects, or of non-infringement. Your
   use or reliance on this notice or materials referred to in this
   notice is at your own risk. ISC may change this notice at any
   time. A stand-alone copy or paraphrase of the text of this
   document that omits the document URL is an uncontrolled copy.
   Uncontrolled copies may lack important information, be out of
   date, or contain factual errors.