Login Sign Up

CVE-2018-5735

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability is an assertion failure in the BIND DNS server's validator component, specifically affecting Debian backports of a previous CVE-2017-3137 fix. It can cause the BIND server to crash when processing certain DNS responses, leading to denial of service. Only Debian systems with specific backported versions are affected.

💻 Affected Systems

Products:
  • BIND DNS server
Versions: Debian versions: 9.9.5.dfsg-9+deb8u15, 9.9.5.dfsg-9+deb8u18, 9.10.3.dfsg.P4-12.3+deb9u5, 9.11.5.P4+dfsg-5.1
Operating Systems: Debian 8 (jessie), Debian 9 (stretch)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Debian backports of the CVE-2017-3137 fix. No ISC (upstream) releases are affected. Other distributions with similar backports may also be vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

DNS service becomes completely unavailable, disrupting all DNS resolution for dependent services and potentially causing cascading failures in network infrastructure.

🟠

Likely Case

Intermittent DNS server crashes requiring manual restart, causing temporary service disruptions and increased administrative overhead.

🟢

If Mitigated

Minimal impact with proper monitoring and automated restart mechanisms in place, though service interruptions may still occur during crashes.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted DNS responses to trigger the assertion failure. The vulnerability is in the validator component that processes DNS responses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Debian security updates: DSA-4148-1 for Debian 8, DSA-4149-1 for Debian 9

Vendor Advisory: https://security-tracker.debian.org/tracker/CVE-2018-5735

Restart Required: Yes

Instructions:

1. Update package lists: sudo apt-get update
2. Upgrade BIND packages: sudo apt-get upgrade bind9
3. Restart BIND service: sudo systemctl restart bind9

🔧 Temporary Workarounds

Disable DNSSEC validation

linux

Temporarily disable DNSSEC validation to prevent triggering the assertion failure

Edit named.conf and set 'dnssec-validation no;' in options section

🧯 If You Can't Patch

  • Implement network segmentation to restrict DNS traffic to trusted sources only
  • Deploy redundant DNS servers with load balancing to maintain service during crashes

🔍 How to Verify

Check if Vulnerable:

Check BIND version: dpkg -l | grep bind9

Check Version:

dpkg -l | grep bind9 | awk '{print $3}'

Verify Fix Applied:

Verify version is not in affected list and check for security updates: apt-cache policy bind9

📡 Detection & Monitoring

Log Indicators:

  • BIND process crashes
  • Assertion failures in validator.c:1858
  • Unexpected BIND restarts

Network Indicators:

  • Increased DNS query timeouts
  • DNS resolution failures

SIEM Query:

source="bind" AND ("assertion failure" OR "validator.c:1858" OR "crash")

📊 Metadata

CVE ID: CVE-2018-5735
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-617
Published: October 30, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-5735, you might also want to check these:

CVE-2020-3615 9.8

This vulnerability in Qualcomm Snapdragon chipsets allows attackers to perform denial-of-service att...

Same vulnerability type (CWE-617)
CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)
CVE-2023-37016 8.6

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial o...

Same vulnerability type (CWE-617)