ASA-2019-00112 – BIND: An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00112

Identifier(s)

ASA-2019-00112, CVE-2018-5745

Title

An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys

Vendor(s)

Internet Systems Consortium (ISC)

Product(s)

BIND

Affected version(s)

BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected.

Fixed version(s)

BIND 9.11.5-P4
BIND 9.12.3-P4
BIND 9.11.5-S5

Proof of concept

Unknown

Description

“managed-keys” is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor’s keys are replaced with keys which use an unsupported algorithm.

Technical details

This particular vulnerability would be very difficult for an arbitrary attacker to use because it requires an operator to have BIND configured to use a trust anchor managed by the attacker. However, if successfully exercised, the defect will cause named to deliberately exit after encountering an assertion failure.

It is more likely, perhaps, that this bug could be encountered accidentally, as not all versions of BIND support the same set of cryptographic algorithms. Specifically, recent branches of BIND have begun deliberately removing support for cryptographic algorithms that are now deprecated (for example because they are no longer considered sufficiently secure.) This vulnerability could be encountered if a resolver running a version of BIND which has removed support for deprecated algorithms is configured to use a trust anchor which elects to change algorithm types to one of those deprecated algorithms.

Credits

Unknown

Reference(s)

CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys
https://kb.isc.org/docs/cve-2018-5745

Multiple BIND CVEs disclosed (CVE-2018-5744, CVE-2018-5745, CVE-2019-6465)
https://seclists.org/oss-sec/2019/q1/146

CVE-2018-5745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5745

CVE-2018-5745
https://nvd.nist.gov/vuln/detail/CVE-2018-5745

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 26, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.