Allele Security Alert
ASA-2019-00112
Identifier(s)
ASA-2019-00112, CVE-2018-5745
Title
An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys
Vendor(s)
Internet Systems Consortium (ISC)
Product(s)
BIND
Affected version(s)
BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected.
Fixed version(s)
BIND 9.11.5-P4
BIND 9.12.3-P4
BIND 9.11.5-S5
Proof of concept
Unknown
Description
“managed-keys” is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor’s keys are replaced with keys which use an unsupported algorithm.
Technical details
This particular vulnerability would be very difficult for an arbitrary attacker to use because it requires an operator to have BIND configured to use a trust anchor managed by the attacker. However, if successfully exercised, the defect will cause named to deliberately exit after encountering an assertion failure.
It is more likely, perhaps, that this bug could be encountered accidentally, as not all versions of BIND support the same set of cryptographic algorithms. Specifically, recent branches of BIND have begun deliberately removing support for cryptographic algorithms that are now deprecated (for example because they are no longer considered sufficiently secure.) This vulnerability could be encountered if a resolver running a version of BIND which has removed support for deprecated algorithms is configured to use a trust anchor which elects to change algorithm types to one of those deprecated algorithms.
Credits
Unknown
Reference(s)
CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys
https://kb.isc.org/docs/cve-2018-5745
Multiple BIND CVEs disclosed (CVE-2018-5744, CVE-2018-5745, CVE-2019-6465)
https://seclists.org/oss-sec/2019/q1/146
CVE-2018-5745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5745
CVE-2018-5745
https://nvd.nist.gov/vuln/detail/CVE-2018-5745
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 26, 2019