Bug 131337

Summary:	net-dns/bind: Zone Transfer TSIG Handling Denial of Service (CVE-2006-2073)
Product:	Gentoo Security	Reporter:	Raphael Marichez (Falco) (RETIRED) <falco>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	bernd, bind+disabled, chainsaw, gengor, voxus, wschlich
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://secunia.com/advisories/19808/
Whiteboard:	C3 [noglsa] jaervosz
Package list:		Runtime testing required:	---
Bug Depends on:	158217, 181556
Bug Blocks:

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-04-26 07:02:20 UTC

Description:
A vulnerability been reported in ISC BIND, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the handling of the TSIG in the second or subsequent messages in a zone transfer. This can be exploited to crash "named" via a malformed TSIG in the messages.

Successful exploitation requires that the first zone transfer message have a valid TSIG.

Solution:
The vulnerability will reportedly be fixed in a future release.

Do not accept zone-transfers from non-trusted nameservers.

Provided and/or discovered by:
Reported by vendor based on DNS Test Tool created by Oulu University Secure Programming Group.

Original Advisory:
NISCC:
http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en

Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-04-26 07:03:30 UTC

i mark it as a B3 and not A3, since the attacker must be authorized for zone transfer, and have valid TSIG.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2006-08-12 03:20:38 UTC

This is CVE-2006-2073.

It may be fixed in an upcoming release, if this corresponds :
* Handle unexpected TSIGs on unsigned AXFR/IXFR responses more gracefully. [RT #15941]

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-24 12:16:14 UTC

Still nothing upstream apparently (according to Secunia).

Comment 4 Konstantin Arkhipov (RETIRED) gentoo-dev

2006-12-17 09:54:35 UTC

fyi: 9.2.7/9.3.3 added to portage.

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev

2006-12-18 00:35:37 UTC

x86 stable for both versions

Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-01-12 22:28:26 UTC

IMHO this is not fixed upstream yet.

Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-01-13 21:10:20 UTC

(In reply to comment #6)
> IMHO this is not fixed upstream yet.
> 

and according to secunia too

Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-04-11 19:07:06 UTC

seems that version 9.4 fixes it:

http://www.isc.org/index.pl?/sw/bind/

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-11 19:42:50 UTC

Pierre-Yves do you have a more exact reference?

Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-04-11 20:12:26 UTC

hmm sorry the link doesn't work (perl url...crap).
But if you click on "BIND 9.4.0" under current release, and then scroll down to the release notes, you see:

2066.	[security]	Handle SIG queries gracefully. [RT #16300]

So I think 9.4.0 is ok

Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-04-11 20:30:56 UTC

sorry I misread, in fact it's not entry 2066 but 2013:

2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
			responses more gracefully. [RT #15941]
Fixed in 9.4.0a5.

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-11 20:31:43 UTC

Thx that is all I need.

Bind what are your plans on stabling 9.4?

Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-05-08 19:29:43 UTC

Thanks Pierre-Yves;

voxus / bind team, any decision here?

Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-05-16 18:03:32 UTC

any news here? I see that ~9.4.1 is in the tree, is it ok for asking stabilisation?

Comment 15 Martin Jackson (RETIRED) gentoo-dev

2007-05-16 23:48:36 UTC

I run BIND 9.4.1 on x86.  As the junior member of the bind herd, I support stabilization. :)

Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-06-03 15:34:10 UTC

Bind what are your plans on stabling 9.4?

Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-06-10 08:00:18 UTC

Bind what are your plans on stabling 9.4?

Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-06-16 06:22:20 UTC

Bind what are your plans on stabling 9.4?

Comment 19 Christian Parpart (RETIRED) gentoo-dev

2007-06-17 08:49:54 UTC

i'm a (rather *silent* listener-)member of the BIND herd, as I've to do really *much* of DNS administration at work.

however, I don't feel well in stabelizing an arch I'm not on, so I stabelized for amd64 for bind and bind-tools as I'm already using them quite a while now.

So it's stable on: alpha amd64 ppc64 sparc x86

and still testing on: ~hppa ~ia64 ~mips ~ppc

looks to me, as if the main archs already stabelized bind so far, jaervosz.

Comment 20 Christian Parpart (RETIRED) gentoo-dev

2007-06-17 08:52:16 UTC

CCing arch, so they do know about.

Comment 21 Tobias Scherbaum (RETIRED) gentoo-dev

2007-06-17 09:47:21 UTC

ppc stable as per #181556

Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-06-17 10:25:22 UTC

Sorry Christian, I didn't check wether it was stabled since I first started asking and I even upgraded to 9.4 myself, duh!

This one is ready for GLSA decision. I vote NO.

Comment 23 René Nussbaumer (RETIRED) gentoo-dev

2007-06-17 19:50:51 UTC

Stable on hppa.

Comment 24 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-06-20 08:12:35 UTC

I tend to vote NO.

Comment 25 Joshua Kinard gentoo-dev

2007-06-21 05:40:42 UTC

mips stable on both bind and bind-tools.

Comment 26 Raúl Porcel (RETIRED) gentoo-dev

2007-06-21 11:11:00 UTC

ia64 stable

Comment 27 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-07-01 02:06:09 UTC

Security please vote.

Comment 28 Matt Drew (RETIRED) gentoo-dev

2007-07-02 21:03:14 UTC

I also vote no, since the remote server has to already be authorized for zone transfer.

Comment 29 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-07-14 21:28:27 UTC

2 NO votes, closing without glsa. feel free to reopen if you disagree.