Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the allow-recursion setting, it SHOULD default to one of the following: none, if recursion no; is set in named.conf; a value inherited from the allow-query-cache or allow-query settings IF recursion yes; (the default for that setting) AND match lists are explicitly set for allow-query-cache or allow-query (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of allow-recursion {localhost; localnets;}; if recursion yes; is in effect and no values are explicitly set for allow-query-cache or allow-query. However, because of the regression introduced by change #4777, it is possible when recursion yes; is in effect and no match list values are provided for allow-query-cache or allow-query for the setting of allow-recursion to inherit a setting of all hosts from the allow-query setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition.
Find out more about CVE-2018-5738 from the MITRE-CVE dictionary and NIST NVD
Login may be required to access defects or downloads.
Product Name | Status | Defect | Fixed | Downloads |
---|