cve/2018/CVE-2018-5738.md

### [CVE-2018-5738](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738)
![](https://img.shields.io/static/v1?label=Product&message=BIND%209&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=There%20are%20several%20potential%20problems%20which%20can%20be%20caused%20by%20improperly%20permitting%20recursive%20service%20to%20unauthorized%20clients%2C%20including%3A%0A%0A%20%20%20%20Additional%20queries%20from%20unauthorized%20clients%20may%20increase%20the%20load%20on%20a%20server%2C%20possibly%20degrading%20service%20to%20authorized%20clients.%0A%20%20%20%20Allowing%20queries%20from%20unauthorized%20clients%20can%20potentially%20allow%20a%20server%20to%20be%20co-opted%20for%20use%20in%20DNS%20reflection%20attacks.%0A%20%20%20%20An%20attacker%20may%20be%20able%20to%20deduce%20which%20queries%20a%20server%20has%20previously%20serviced%20by%20examining%20the%20results%20of%20queries%20answered%20from%20the%20cache%2C%20potentially%20leaking%20private%20information%20about%20what%20queries%20have%20been%20performed.%0A&color=brighgreen)

### Description

Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the "allow-recursion" setting, it SHOULD default to one of the following: none, if "recursion no;" is set in named.conf; a value inherited from the "allow-query-cache" or "allow-query" settings IF "recursion yes;" (the default for that setting) AND match lists are explicitly set for "allow-query-cache" or "allow-query" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of "allow-recursion {localhost; localnets;};" if "recursion yes;" is in effect and no values are explicitly set for "allow-query-cache" or "allow-query". However, because of the regression introduced by change #4777, it is possible when "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query" for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/HJXSaber/bind9-my
- https://github.com/balabit-deps/balabit-os-8-bind9-libs
- https://github.com/balabit-deps/balabit-os-9-bind9-libs
- https://github.com/pexip/os-bind9
- https://github.com/pexip/os-bind9-libs
- https://github.com/psmedley/bind-os2
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`### [CVE-2018-5738](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738)`
			`![](https://img.shields.io/static/v1?label=Product&message=BIND%209&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)`
			![](https://img.shields.io/static/v1?label=Vulnerability&message=There%20are%20several%20potential%20problems%20which%20can%20be%20caused%20by%20improperly%20permitting%20recursive%20service%20to%20unauthorized%20clients%2C%20including%3A%0A%0A%20%20%20%20Additional%20queries%20from%20unauthorized%20clients%20may%20increase%20the%20load%20on%20a%20server%2C%20possibly%20degrading%20service%20to%20authorized%20clients.%0A%20%20%20%20Allowing%20queries%20from%20unauthorized%20clients%20can%20potentially%20allow%20a%20server%20to%20be%20co-opted%20for%20use%20in%20DNS%20reflection%20attacks.%0A%20%20%20%20An%20attacker%20may%20be%20able%20to%20deduce%20which%20queries%20a%20server%20has%20previously%20serviced%20by%20examining%20the%20results%20of%20queries%20answered%20from%20the%20cache%2C%20potentially%20leaking%20private%20information%20about%20what%20queries%20have%20been%20performed.%0A&color=brighgreen)

			`### Description`

			Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the "allow-recursion" setting, it SHOULD default to one of the following: none, if "recursion no;" is set in named.conf; a value inherited from the "allow-query-cache" or "allow-query" settings IF "recursion yes;" (the default for that setting) AND match lists are explicitly set for "allow-query-cache" or "allow-query" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of "allow-recursion {localhost; localnets;};" if "recursion yes;" is in effect and no values are explicitly set for "allow-query-cache" or "allow-query". However, because of the regression introduced by change #4777, it is possible when "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query" for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/ARPSyndicate/cvemon`
			`- https://github.com/HJXSaber/bind9-my`
			`- https://github.com/balabit-deps/balabit-os-8-bind9-libs`
			`- https://github.com/balabit-deps/balabit-os-9-bind9-libs`
			`- https://github.com/pexip/os-bind9`
			`- https://github.com/pexip/os-bind9-libs`
Update CVE sources 2024-08-06 19:19 2024-08-06 19:19:10 +00:00			`- https://github.com/psmedley/bind-os2`
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00