ASA-2019-00234 – BIND: Limiting simultaneous TCP clients is ineffective

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00234

Identifier(s)

ASA-2019-00234, CVE-2018-5743

Title

Limiting simultaneous TCP clients is ineffective

Vendor(s)

Internet Systems Consortium (ISC)

Product(s)

BIND

Affected version(s)

BIND 9.9.0 to 9.10.8-P1
BIND 9.11.0 to 9.11.6
BIND 9.12.0 to 9.12.4
BIND 9.14.0
BIND Supported Preview Edition 9.9.3-S1 to 9.11.5-S3
BIND Supported Preview Edition 9.11.5-S5
BIND 9.13.0 to 9.13.7

Fixed version(s)

BIND 9.11.6-P1
BIND 9.12.4-P1
BIND 9.14.1
BIND Supported Preview Edition 9.11.5-S6
BIND Supported Preview Edition 9.11.6-S1

Proof of concept

Unknown

Description

By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contains an error which can be exploited to grow the number of simultaneous connections beyond this limit.

Technical details

Unknown

Credits

AT&T

Reference(s)

CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
https://kb.isc.org/docs/cve-2018-5743

CVE-2018-5743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743

CVE-2018-5743
https://nvd.nist.gov/vuln/detail/CVE-2018-5743

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: April 27, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.