CVE-2018-5743

CWE-770 — Allocation without Limits12 documents8 sources

Severity

7.5HIGH

EPSS

5.7%

top 9.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Big-ip Access Policy Manager F5 Big-ip Advanced Firewall Manager F5 Big-ip Analytics +15 more

Timeline

PublishedOct 9

Latest updateMay 24

Description

By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, 9.12.0 -…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages19 packages

▶Debianbind9< 1:9.11.5.P4+dfsg-4+3

▶NVDisc/bind9.9.0 — 9.10.8+7

▶CVEListV5isc/bind_9BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, 9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -> 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.

▶NVDf5/big-ip_analytics11.5.2 — 11.6.5+4

▶NVDf5/big-ip_edge_gateway11.5.2 — 11.6.5+4

🔴Vulnerability Details

GHSA

GHSA-3cr4-c5wq-3ccv: By design, BIND is intended to limit the number of TCP clients that can be connected at any given time↗2022-05-24

▶

CVEList

Limiting simultaneous TCP clients was ineffective↗2019-10-09

▶

OSV

CVE-2018-5743: By design, BIND is intended to limit the number of TCP clients that can be connected at any given time↗2019-10-09

▶

📋Vendor Advisories

Ubuntu

Bind vulnerability↗2019-05-09

▶

Ubuntu

Bind vulnerability↗2019-04-25

▶

Red Hat

bind: Limiting simultaneous TCP clients is ineffective↗2019-04-24

▶

Debian

CVE-2018-5743: bind9 - By design, BIND is intended to limit the number of TCP clients that can be conne...↗2018

▶

💬Community

Bugzilla

CVE-2019-6477 bind: TCP Pipelining doesn't limit TCP clients on a single connection↗2019-11-18

▶

Bugzilla

CVE-2018-5743 bind: Limiting simultaneous TCP clients is ineffective [fedora-all]↗2019-04-25

▶

Bugzilla

CVE-2018-5743 bind99: bind: Limiting simultaneous TCP clients is ineffective [fedora-all]↗2019-04-25

▶

Bugzilla

CVE-2018-5743 bind: Limiting simultaneous TCP clients is ineffective↗2019-04-24

▶

External resources

NVD MITRE

Affected products18

F5 Big-ip Access Policy Manager≥ 11.5.2, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.4≥ 13.1.0, ≤ 13.1.1+2 more

F5 Big-ip Advanced Firewall Manager≥ 11.5.2, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.4≥ 13.1.0, ≤ 13.1.1+2 more

F5 Big-ip Analytics≥ 11.5.2, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.4≥ 13.0.0, ≤ 13.1.1+2 more

F5 Big-ip Application Acceleration Manager≥ 11.5.2, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.4≥ 13.0.0, ≤ 13.1.1+2 more

F5 Big-ip Application Security Manager≥ 11.5.2, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.4≥ 13.0.0, ≤ 13.1.1+2 more

F5 Big-ip Domain Name System≥ 11.5.2, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.4≥ 13.1.0, ≤ 13.1.1+2 more

F5 Big-ip Edge Gateway≥ 11.5.2, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.4≥ 13.0.0, ≤ 13.1.1+2 more

F5 Big-ip Fraud Protection Service≥ 11.5.2, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.4≥ 13.0.0, ≤ 13.1.1+2 more

F5 Big-ip Global Traffic Manager≥ 11.5.2, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.4≥ 13.0.0, ≤ 13.1.1+2 more

F5 Big-ip Link Controller≥ 11.5.2, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.4≥ 13.0.0, ≤ 13.1.1+2 more

Disclosure

PublishedOct 9, 2019

Latest updateMay 24, 2022