Allele Security Alert
A specially crafted packet can cause named to leak memory
Internet Systems Consortium (ISC)
BIND 9.10.7 -> 9.10.8-P1, 9.11.3 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.10.7-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected.
Proof of concept
A failure to free memory can occur when processing messages having a specific combination of EDNS options.
By exploiting this condition, an attacker can potentially cause named’s memory use to grow without bounds until all memory available to the process is exhausted. Typically a server process is limited as to the amount of memory it can use but if the named process is not limited by the operating system all free memory on the server could be exhausted.
CVE-2018-5744: A specially crafted packet can cause named to leak memory
Multiple BIND CVEs disclosed (CVE-2018-5744, CVE-2018-5745, CVE-2019-6465)
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 26, 2019