CVE-2018-5736

16.01.2019, 20:29

An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession. This defect could be deliberately exercised by an attacker who is permitted to cause a vulnerable server to initiate zone transfers (for example: by sending valid NOTIFY messages), causing the named process to exit after failing the assertion test. Affects BIND 9.12.0 and 9.12.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
isc	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 97%

Vendor	Product	Version
isc	bind	9.12.0
isc	bind	9.12.1
netapp	cloud_backup	-
netapp	data_ontap_edge	-

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

bind9

bullseye	1:9.16.50-1~deb11u2 fixed
bullseye (security)	1:9.16.50-1~deb11u1 fixed
bookworm	1:9.18.28-1~deb12u2 fixed
bookworm (security)	1:9.18.28-1~deb12u2 fixed
sid	1:9.20.2-1 fixed
trixie	1:9.20.2-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

bind9

bionic	not-affected
artful	not-affected
xenial	not-affected
trusty	not-affected

Common Weakness Enumeration

CWE-617 - Reachable Assertion
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

References

http://www.securityfocus.com/bid/104386

http://www.securitytracker.com/id/1040941

https://kb.isc.org/docs/aa-01602

https://security.netapp.com/advisory/ntap-20180926-0004/

http://www.securityfocus.com/bid/104386

http://www.securitytracker.com/id/1040941

https://kb.isc.org/docs/aa-01602

https://security.netapp.com/advisory/ntap-20180926-0004/