Allele Security Alert
ASA-2019-00111
Identifier(s)
ASA-2019-00111, CVE-2018-5744
Title
A specially crafted packet can cause named to leak memory
Vendor(s)
Internet Systems Consortium (ISC)
Product(s)
BIND
Affected version(s)
BIND 9.10.7 -> 9.10.8-P1, 9.11.3 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.10.7-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected.
Fixed version(s)
BIND 9.11.5-P4
BIND 9.12.3-P4
BIND 9.11.5-S5
Proof of concept
Unknown
Description
A failure to free memory can occur when processing messages having a specific combination of EDNS options.
By exploiting this condition, an attacker can potentially cause named’s memory use to grow without bounds until all memory available to the process is exhausted. Typically a server process is limited as to the amount of memory it can use but if the named process is not limited by the operating system all free memory on the server could be exhausted.
Technical details
Unknown
Credits
Toshifumi Sakaguchi
Reference(s)
CVE-2018-5744: A specially crafted packet can cause named to leak memory
https://kb.isc.org/docs/cve-2018-5744
Multiple BIND CVEs disclosed (CVE-2018-5744, CVE-2018-5745, CVE-2019-6465)
https://seclists.org/oss-sec/2019/q1/146
CVE-2018-5744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5744
CVE-2018-5744
https://nvd.nist.gov/vuln/detail/CVE-2018-5744
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 26, 2019