CVE-2018-5741 Information

Description

To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client depending on the key used when sending the update request. Unfortunately some rule types were not initially documented and when documentation for them was added to the Administrator Reference Manual (ARM) in change 3112 the language that was added to the ARM at that time incorrectly described the behavior of two rule types krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Reference

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html http://www.securityfocus.com/bid/105379 http://www.securitytracker.com/id/1041674 https://access.redhat.com/errata/RHSA-2019:2057 https://kb.isc.org/docs/cve-2018-5741 https://security.gentoo.org/glsa/201903-13 https://security.netapp.com/advisory/ntap-20190830-0001/ https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03927en_us

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

6.5