CVE-2018-5736 : An error in zone database reference counting can lead to an assertion failure if

An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession. This defect could be deliberately exercised by an attacker who is permitted to cause a vulnerable server to initiate zone transfers (for example: by sending valid NOTIFY messages), causing the named process to exit after failing the assertion test. Affects BIND 9.12.0 and 9.12.1.

Published 2019-01-16 20:29:01

Updated 2019-10-03 00:03:26

Source Internet Systems Consortium (ISC)

View at NVD, CVE.org

Products affected by CVE-2018-5736

ISC » Bind » Version: 9.12.0
cpe:2.3:a:isc:bind:9.12.0:*:*:*:*:*:*:*
Matching versions
ISC » Bind » Version: 9.12.1
cpe:2.3:a:isc:bind:9.12.1:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Backup » Version: N/A
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Matching versions
Netapp » Data Ontap Edge » Version: N/A
cpe:2.3:a:netapp:data_ontap_edge:-:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2018-5736

Top countries where our scanners detected CVE-2018-5736

Top open port discovered on systems with this issue 53

IPs affected by CVE-2018-5736 160

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2018-5736!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2018-5736

EPSS FAQ

44.16%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 97 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-5736

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.5	LOW	AV:N/AC:M/Au:S/C:N/I:N/A:P	6.8	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.3	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H	1.6	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2018-5736

CWE-617 Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-5736

http://www.securityfocus.com/bid/104386

ISC BIND CVE-2018-5736 Remote Denial of Service Vulnerability
Third Party Advisory;VDB Entry
https://security.netapp.com/advisory/ntap-20180926-0004/

May 2018 ISC BIND Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://kb.isc.org/docs/aa-01602

CVE-2018-5736: Multiple transfers of a zone in quick succession can cause an assertion failure in rbtdb.c - Security Advisories
Vendor Advisory
http://www.securitytracker.com/id/1040941

BIND Slave Zone Transfer Processing Flaw in 'rbtdb.c' Lets Remote Authenticated Users Cause the Target 'named' Service to Crash - SecurityTracker
Third Party Advisory;VDB Entry