ISC BIND 9.8/9.9 Remote DoS

2014.01.14
Credit: Vincent Danen
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2014-0591
CWE: CWE-119


CVSS Base Score: 2.6/10
Impact Subscore: 2.9/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

It was reported that a defect in how BIND handled queries for NSEC3-signed zones could cause a crash of the named daemon with an "INSIST" failure when processing queries that possessed certain properties. A remote attacker could exploit this defect by constructing a carefully-crafted query against an authoritative nameserver that served NSEC3-signed zones. Note that this flaw affects BIND versions 9.6.0 and higher (NSEC3 was introduced in BIND 9.6.0 but is not automatically enabled). Authoritative nameservers that are serving at least one NSEC3-signed zone are vulnerable. Authoritative nameservers that are NOT serving at least one NSEC3-signed zone are not vulnerable, nor are recursive-only servers. Servers running versions of BIND older than 9.6.0 are also not vulnerable. There are no workarounds for this issue. diff -pruN bind-9.9.4-P1/bin/named/query.c bind-9.9.4-P2/bin/named/query.c --- bind-9.9.4-P1/bin/named/query.c 2013-10-16 01:04:32.000000000 +0200 +++ bind-9.9.4-P2/bin/named/query.c 2013-12-20 01:28:28.000000000 +0100 @@ -5260,8 +5260,7 @@ query_findclosestnsec3(dns_name_t *qname dns_fixedname_t fixed; dns_hash_t hash; dns_name_t name; - int order; - unsigned int count; + unsigned int skip = 0, labels; dns_rdata_nsec3_t nsec3; dns_rdata_t rdata = DNS_RDATA_INIT; isc_boolean_t optout; @@ -5276,6 +5275,7 @@ query_findclosestnsec3(dns_name_t *qname dns_name_init(&name, NULL); dns_name_clone(qname, &name); + labels = dns_name_countlabels(&name); dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client); @@ -5309,13 +5309,14 @@ query_findclosestnsec3(dns_name_t *qname dns_rdata_reset(&rdata); optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); if (found != NULL && optout && - dns_name_fullcompare(&name, dns_db_origin(db), &order, - &count) == dns_namereln_subdomain) { + dns_name_issubdomain(&name, dns_db_origin(db))) + { dns_rdataset_disassociate(rdataset); if (dns_rdataset_isassociated(sigrdataset)) dns_rdataset_disassociate(sigrdataset); - count = dns_name_countlabels(&name) - 1; - dns_name_getlabelsequence(&name, 1, count, &name); + skip++; + dns_name_getlabelsequence(qname, skip, labels - skip, + &name); ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), "looking for closest provable encloser"); @@ -5333,7 +5334,11 @@ query_findclosestnsec3(dns_name_t *qname ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "expected covering NSEC3, got an exact match"); - if (found != NULL) + if (found == qname) { + if (skip != 0U) + dns_name_getlabelsequence(qname, skip, labels - skip, + found); + } else if (found != NULL) dns_name_copy(&name, found, NULL); return; } diff -pruN bind-9.9.4-P1/bin/named/unix/os.c bind-9.9.4-P2/bin/named/unix/os.c --- bind-9.9.4-P1/bin/named/unix/os.c 2013-10-16 01:04:32.000000000 +0200 +++ bind-9.9.4-P2/bin/named/unix/os.c 2013-12-20 01:28:28.000000000 +0100 @@ -117,12 +117,12 @@ static int dfd[2] = { -1, -1 }; static isc_boolean_t non_root = ISC_FALSE; static isc_boolean_t non_root_caps = ISC_FALSE; -#ifdef HAVE_LINUX_TYPES_H -#include <linux/types.h> -#endif #ifdef HAVE_SYS_CAPABILITY_H #include <sys/capability.h> #else +#ifdef HAVE_LINUX_TYPES_H +#include <linux/types.h> +#endif /*% * We define _LINUX_FS_H to prevent it from being included. We don't need * anything from it, and the files it includes cause warnings with 2.2 diff -pruN bind-9.9.4-P1/CHANGES bind-9.9.4-P2/CHANGES --- bind-9.9.4-P1/CHANGES 2013-10-16 01:04:32.000000000 +0200 +++ bind-9.9.4-P2/CHANGES 2013-12-20 01:28:28.000000000 +0100 @@ -1,6 +1,16 @@ + --- 9.9.4-P2 released --- + +3693. [security] memcpy was incorrectly called with overlapping + ranges resulting in malformed names being generated + on some platforms. This could cause INSIST failures + when serving NSEC3 signed zones. [RT #35120] + +3658. [port] linux: Address platform specific compilation issue + when libcap-devel is installed. [RT #34838] + --- 9.9.4-P1 released --- -3656. [bug] Treat a all zero netmask as invalid when generating +3656. [bug] Treat an all zero netmask as invalid when generating the localnets acl. [RT #34687] --- 9.9.4 released --- diff -pruN bind-9.9.4-P1/configure bind-9.9.4-P2/configure --- bind-9.9.4-P1/configure 2013-10-16 01:04:32.000000000 +0200 +++ bind-9.9.4-P2/configure 2013-12-20 01:28:28.000000000 +0100 @@ -17764,17 +17764,28 @@ fi done - for ac_header in linux/capability.h sys/capability.h + for ac_header in sys/capability.h do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "#ifdef HAVE_LINUX_TYPES_H + ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default" +if test "x$ac_cv_header_sys_capability_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SYS_CAPABILITY_H 1 +_ACEOF + +fi + +done + + for ac_header in linux/capability.h +do : + ac_fn_c_check_header_compile "$LINENO" "linux/capability.h" "ac_cv_header_linux_capability_h" "#ifdef HAVE_LINUX_TYPES_H #include <linux/types.h> #endif " -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : +if test "x$ac_cv_header_linux_capability_h" = xyes; then : cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +#define HAVE_LINUX_CAPABILITY_H 1 _ACEOF fi diff -pruN bind-9.9.4-P1/configure.in bind-9.9.4-P2/configure.in --- bind-9.9.4-P1/configure.in 2013-10-16 01:04:32.000000000 +0200 +++ bind-9.9.4-P2/configure.in 2013-12-20 01:28:28.000000000 +0100 @@ -2549,7 +2549,8 @@ AC_ARG_ENABLE(linux-caps, case "$enable_linux_caps" in yes|'') AC_CHECK_HEADERS(linux/types.h) - AC_CHECK_HEADERS([linux/capability.h sys/capability.h], [], [], + AC_CHECK_HEADERS([sys/capability.h]) + AC_CHECK_HEADERS([linux/capability.h], [], [], [#ifdef HAVE_LINUX_TYPES_H #include <linux/types.h> #endif diff -pruN bind-9.9.4-P1/srcid bind-9.9.4-P2/srcid --- bind-9.9.4-P1/srcid 2013-10-16 02:10:19.000000000 +0200 +++ bind-9.9.4-P2/srcid 2013-12-20 04:14:21.000000000 +0100 @@ -1 +1 @@ -SRCID=07aaf1ef +SRCID=3f00a920 diff -pruN bind-9.9.4-P1/version bind-9.9.4-P2/version --- bind-9.9.4-P1/version 2013-10-16 01:04:32.000000000 +0200 +++ bind-9.9.4-P2/version 2013-12-20 01:28:28.000000000 +0100 @@ -9,4 +9,4 @@ MAJORVER=9 MINORVER=9 PATCHVER=4 RELEASETYPE=-P -RELEASEVER=1 +RELEASEVER=2

References:

https://kb.isc.org/article/AA-01085
https://kb.isc.org/article/AA-01078
https://bugzilla.redhat.com/show_bug.cgi?id=1051717


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top