Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 540640 (CVE-2015-1349)

Summary: <net-dns/bind-9.10.2_p4: Denial of Service due to issue with Trust Anchor Management (CVE-2015-1349)
Product: Gentoo Security Reporter: Marc Schiffbauer <mschiff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: idl0r
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://kb.isc.org/article/AA-01235/0/CVE-2015-1349%3A-A-Problem-with-Trust-Anchor-Management-Can-Cause-named-to-Crash.html
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---

Description Marc Schiffbauer gentoo-dev 2015-02-19 11:29:38 UTC
BIND servers which are configured to perform DNSSEC validation and which are using managed-keys (which occurs implicitly when using "dnssec-validation auto;" or "dnssec-lookaside auto;") may terminate with an assertion failure when encountering all of the following conditions in a managed trust anchor:

    a key which was previously trusted is now flagged as revoked;
    there are no other trusted keys available;
    there is a standby key, but it is not trusted yet

This situation results in termination of the named process and denial of service to clients, and can occur in two circumstances:

    during an improperly-managed key rollover for one of the managed trust anchors (e.g., during a botched root key rollover), or
    when deliberately triggered by an attacker, under specific and limited circumstances. ISC has demonstrated a proof-of-concept of this attack; however, the complexity of the attack is very high unless the attacker has a specific network relationship to the BIND server which is targeted
Comment 1 Marc Schiffbauer gentoo-dev 2015-03-10 00:46:51 UTC
Seems like net-dns/bind is pretty much unmaintained... Gentoo has only these vulberable versions in tree since weeks now :-/

@idl0r: Ping? Are you too busy? Or not interested in net-dns/bind anymore?
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-06-15 00:42:15 UTC
CVE-2015-1349 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1349):
  named in ISC BIND 9.7.0 through 9.9.6 before 9.9.6-P2 and 9.10.x before
  9.10.1-P2, when DNSSEC validation and the managed-keys feature are enabled,
  allows remote attackers to cause a denial of service (assertion failure and
  daemon exit, or daemon crash) by triggering an incorrect trust-anchor
  management scenario in which no key is ready for use.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-10-18 19:51:42 UTC
This issue was resolved and addressed in
 GLSA 201510-01 at https://security.gentoo.org/glsa/201510-01
by GLSA coordinator Mikle Kolyada (Zlogene).
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2015-10-18 19:52:05 UTC
This issue was resolved and addressed in
 GLSA 201510-01 at https://security.gentoo.org/glsa/201510-01
by GLSA coordinator Mikle Kolyada (Zlogene).