CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys

Published Feb 20, 2019
·
Updated

"managed-keys" is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5745.

Other sources

A flaw was found in Bind. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure causing denial of service.

Red Hat

ISC BIND is vulnerable to a denial of service, caused by an error in the managed-keys feature. By replacing a trust anchor's keys with keys which use an unsupported algorithm, a remote authenticated attacker could exploit this vulnerability to cause an assertion failure.

IBM

Affected Software

15 affected componentsFixes available
redhat/bind<9.11.5
9.11.5
redhat/bind<9.12.3
9.12.3
IBM Data Risk Manager<=2.0.6
ISC BIND>=9.9.0<=9.10.7
ISC BIND>=9.11.0<=9.11.4
ISC BIND>=9.12.0<=9.12.2
ISC BIND>=9.13.0<=9.13.6
ISC Bind Supported Preview=9.9.3-s1
ISC BIND=9.10.7
ISC BIND=9.10.8-p1
ISC BIND=9.11.5
ISC BIND=9.11.5-p1
ISC Bind Supported Preview=9.11.5-s3
ISC BIND=9.12.3
ISC BIND=9.12.3-p1

Remediation

Information

Upgrade to a version of BIND containing a fix preventing the assertion failure. >= BIND 9.11.5-P4 >= BIND 9.12.3-P4 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. >= BIND 9.11.5-S5

Event History

Oct 9, 2019
CVE Published
via MITRE·02:17 PM
Data Sourced
via MITRE·02:17 PM
RemedyDescriptionSeverityWeakness

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2018-5745?

CVE-2018-5745 is classified as a denial-of-service vulnerability that can lead to assertion failures in ISC BIND.

2

How do I fix CVE-2018-5745?

To mitigate CVE-2018-5745, upgrade ISC BIND to version 9.11.5 or 9.12.3 or apply the necessary patches.

3

Which versions of ISC BIND are affected by CVE-2018-5745?

CVE-2018-5745 affects versions of ISC BIND from 9.9.0 up to and including 9.12.2.

4

Can CVE-2018-5745 be exploited remotely?

Yes, CVE-2018-5745 can be exploited remotely by an authenticated attacker.

5

Is CVE-2018-5745 related to key management in ISC BIND?

Yes, CVE-2018-5745 is related to an error in the managed-keys feature of ISC BIND.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203