Description:

Multiple vulnerabilities were found in "EDNS", "managed-keys" and "Dynamically Loadable Zones" features of the Internet Systems Consortium (ISC) BIND software. A remote attacker could send specially crafted messages, make malicious queries or trigger DNS zone transfers to exploit the vulnerabilities.

Affected Systems:

• BIND 9.9.0 to 9.10.8-P1
• BIND 9.11.0 to 9.11.5-P2
• BIND 9.12.0 to 9.12.3-P2
• BIND 9.9.3-S1 to 9.11.5-S3
• BIND 9.13.0 to 9.13.6

Impact:

Successful exploitation could lead to a denial of service condition or information disclosure on an affected system.

Recommendation:

ISC has released the following patches to solve the problems:

• BIND 9 version 9.11.5-P4
• BIND 9 version 9.12.3-P4
• BIND 9 version 9.11.5-S5

http://www.isc.org/downloads/

Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

More Information:

https://kb.isc.org/docs/cve-2018-5744
https://kb.isc.org/docs/cve-2018-5745
https://kb.isc.org/docs/cve-2019-6465
https://www.hkcert.org/my_url/en/alert/19022501
https://www.us-cert.gov/ncas/current-activity/2019/02/22/ISC-Releases-Security-Updates-BIND
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5744
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5745
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6465