CVE-2018-5738

Source
Severity Medium
Remote Yes
Type Access restriction bypass
Description
BIND <= 9.13.0 can improperly permit recursive query service to unauthorized clients. When "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query", it is possible for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients.
Group Package Affected Fixed Severity Status Ticket
AVG-718 bind 9.13.0-2 Medium Vulnerable
References
https://kb.isc.org/article/AA-01616/0/CVE-2018-5738
https://marc.info/?l=oss-security&m=152886256217742
Notes
A number of configuration workarounds are available which completely avoid the problem.  

If an operator has not chosen to specify some other permission, explicitly specifying "allow-query {localnets; localhost;};" in named.conf will provide behavior equivalent to the intended default.

If the default setting is not appropriate (because the operator wants a different behavior) then depending on which clients are intended to be able to receive service for recursive queries, explicitly setting a match list value for any of:

allow-recursion
allow-query
allow-query-cache

will prevent the "allow-recursion" control from improperly inheriting a setting from the allow-query default.  If a value is set for any of those values the behavior of allow-recursion will be set directly or inherited from one of the other values as described in the BIND Adminstrator Reference Manual section 6.2

Servers which are not intended to perform recursion at all may also effectively prevent this condition by setting "recursion no;" in named.conf