CVE-2018-5745 : What You Need to Know
Learn about CVE-2018-5745, a vulnerability in BIND servers causing unexpected terminations due to key rollover issues. Find out the impacted systems and versions, exploitation details, and mitigation steps.
CVE-2018-5745, also known as "An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys," is a vulnerability affecting BIND servers that can lead to unexpected terminations due to key rollover issues.
Understanding CVE-2018-5745
This CVE involves a flaw in the "managed-keys" feature of BIND, impacting various versions of the software.
What is CVE-2018-5745?
The vulnerability in BIND's "managed-keys" feature can cause a server to terminate unexpectedly if an unsupported algorithm is used during key rollover, leading to assertion failures.
The Impact of CVE-2018-5745
The vulnerability has a CVSS base score of 4.9, with a medium severity rating. It requires high privileges for exploitation and has a high availability impact.
Technical Details of CVE-2018-5745
The technical aspects of this CVE provide insights into the vulnerability's description, affected systems, and exploitation mechanism.
Vulnerability Description
The flaw in the managed-keys feature can trigger BIND servers to exit unexpectedly if unsupported algorithms are used during key rollover.
Affected Systems and Versions
- Versions affected include BIND 9.9.0 to 9.10.8-P1, 9.11.0 to 9.11.5-P1, 9.12.0 to 9.12.3-P1, and versions 9.9.3-S1 to 9.11.5-S3 of BIND 9 Supported Preview Edition.
- Additionally, versions 9.13.0 to 9.13.6 of the 9.13 development branch are impacted.
- Versions prior to BIND 9.9.0 have not been evaluated for this vulnerability.
Exploitation Mechanism
The vulnerability requires an operator to have BIND configured to use a trust anchor managed by the attacker, making it challenging for arbitrary attackers to exploit. However, if successfully exercised, it can cause named to exit after encountering an assertion failure.
Mitigation and Prevention
To address CVE-2018-5745, specific steps need to be taken to mitigate the risk and prevent exploitation.
Immediate Steps to Take
- Upgrade to a version of BIND containing a fix to prevent assertion failures, such as BIND 9.11.5-P4 or BIND 9.12.3-P4.
- For BIND Supported Preview Edition users, upgrade to BIND 9.11.5-S5.
Long-Term Security Practices
- Regularly update BIND to the latest versions to ensure security patches are applied promptly.
- Monitor vendor advisories and security alerts for any new developments related to BIND vulnerabilities.
Patching and Updates
Stay informed about the latest patches and updates released by ISC to address vulnerabilities like CVE-2018-5745.