Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 657654 (CVE-2018-5738) - <net-dns/bind-{9.11.3-r1, 9.12.1_p2-r1}: Improper handling of configuration allows all clients to perform recursive queries (CVE-2018-5738)
Summary: <net-dns/bind-{9.11.3-r1, 9.12.1_p2-r1}: Improper handling of configuration a...
Status: RESOLVED FIXED
Alias: CVE-2018-5738
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://kb.isc.org/article/AA-01616/0...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks: aa-01639, CVE-2018-5740, CVE-2018-5741
  Show dependency tree
 
Reported: 2018-06-09 15:38 UTC by Thomas Deutschmann
Modified: 2019-03-14 01:42 UTC (History)
1 user (show)

See Also:
Package list:
net-dns/bind-9.12.2_p2-r1 ia64 net-dns/bind-tools-9.12.2_p2-r1 net-dns/bind-9.11.4_p2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2018-06-09 15:38:12 UTC
Incoming details.
Comment 1 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2018-06-11 10:38:46 UTC
Cc Poly-C as he'll probably patch bind in case he's around at that time.
Comment 2 Thomas Deutschmann gentoo-dev Security 2018-06-13 22:59:05 UTC
CVE-2018-5738: Some versions of BIND can improperly permit recursive query service to unauthorized clients 


Program Impacted: BIND
Versions affected: 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2,
                   the development release 9.13.0, and also releases
                   9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from
                   BIND 9 Supported Preview Edition

Severity: Medium

Exploitable: Remotely


Description:

Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver.

The intended (and documented) behavior is that if an operator has not specified a value for the "allow-recursion" setting, it SHOULD default to one of the following:

none, if "recursion no;" is set in named.conf, or
a value inherited from the "allow-query-cache" or "allow-query" settings IF "recursion yes;" (the default for that setting) AND match lists are explicitly set for "allow-query-cache" or "allow-query" (see the BIND9 Administrative Reference Manual section 6.2 for more details), or
the intended default of "allow-recursion {localhost; localnets;};" if "recursion yes;" is in effect and no values are explicitly set for "allow-query-cache" or "allow-query".
However, because of the regression introduced by change #4777, it is possible when "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query" for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients.

Impact:

There are several potential problems which can be caused by improperly permitting recursive service to unauthorized clients, including:

Additional queries from unauthorized clients may increase the load on a server, possibly degrading service to authorized clients.
Allowing queries from unauthorized clients can potentially allow a server to be co-opted for use in DNS reflection attacks.
An attacker may be able to deduce which queries a server has previously serviced by examining the results of queries answered from the cache, potentially leaking private information about what queries have been performed.
CVSS Score:  5.3

CVSS Vector:  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Workarounds:

A number of configuration workarounds are available which completely avoid the problem.  


If an operator has not chosen to specify some other permission, explicitly specifying "allow-query {localnets; localhost;};" in named.conf will provide behavior equivalent to the intended default.

If the default setting is not appropriate (because the operator wants a different behavior) then depending on which clients are intended to be able to receive service for recursive queries, explicitly setting a match list value for any of:

allow-recursion
allow-query
allow-query-cache
will prevent the "allow-recursion" control from improperly inheriting a setting from the allow-query default.  If a value is set for any of those values the behavior of allow-recursion will be set directly or inherited from one of the other values as described in the BIND Adminstrator Reference Manual section 6.2


Servers which are not intended to perform recursion at all may also effectively prevent this condition by setting "recursion no;" in named.conf

Active exploits: 


We are not aware of any exploits deliberately targeting this specific defect but it is not uncommon for scanners to search for open resolvers for use in reflection attacks and other mischief.  We have at least one report from an operator who discovered that unauthorized clients were successfully making queries to his server and it is reasonable to assume that other servers with similar configurations may be currently affected although their operators are unaware.

Solution:


Future maintenance releases of BIND will correct the regression which introduced this issue but ISC does not believe that replacement security releases of BIND are required, given that several easy, safe, and completely effective configuration workarounds are available for any operators with affected configurations.  However, an advance version of the patch diff which will be applied to future versions is available upon request to security-officer@isc.org and a correction for the behavior in question will debut in the release candidates for BIND 9.9.13, BIND 9.10.8, BIND 9.11.4, and BIND 9.12.2.
Comment 3 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2018-06-19 08:06:12 UTC
bind-9.11.3-r1 and bind-9.12.1_p2-r1 have been added including the patches for both. bind-9.11.2_p1 is currently the latest stable. So we may want to stabilize bind-9.11.3-r1 or bind-9.12.1_p2-r1. I'd go for 9.12.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-11-25 00:20:03 UTC
@maintainers, please call for stable when ready.
Comment 5 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-11 10:01:00 UTC
Please stabilize net-dns/bind-9.12.2_p2-r1 as well as net-dns/bind-tools-9.12.2_p2-r1
Comment 6 Thomas Deutschmann gentoo-dev Security 2018-12-13 13:20:47 UTC
x86 stable
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-12-13 14:26:00 UTC
amd64 stable
Comment 8 Rolf Eike Beer 2018-12-14 16:59:40 UTC
sparc stable
Comment 9 Markus Meier gentoo-dev 2018-12-18 21:07:27 UTC
arm stable
Comment 10 Matt Turner gentoo-dev 2018-12-23 03:20:19 UTC
alpha stable
Comment 11 Sergei Trofimovich gentoo-dev 2019-01-05 22:48:54 UTC
hppa stable
Comment 12 Sergei Trofimovich gentoo-dev 2019-01-12 23:52:06 UTC
ppc stable
Comment 13 Sergei Trofimovich gentoo-dev 2019-01-12 23:52:29 UTC
ppc64 stable
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-01-23 09:32:14 UTC
9.11 is affected and stable too, have no idea why this was missed.
Comment 15 Sergei Trofimovich gentoo-dev 2019-01-23 21:28:35 UTC
ppc stable
Comment 16 Sergei Trofimovich gentoo-dev 2019-01-23 21:29:47 UTC
ppc64 stable
Comment 17 Thomas Deutschmann gentoo-dev Security 2019-01-24 22:24:11 UTC
x86 stable
Comment 18 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-01-25 09:58:20 UTC
amd64 stable
Comment 19 Sergei Trofimovich gentoo-dev 2019-01-29 07:29:58 UTC
hppa stable
Comment 20 Rolf Eike Beer 2019-01-30 08:31:18 UTC
sparc stable
Comment 21 Markus Meier gentoo-dev 2019-01-30 18:48:49 UTC
arm stable
Comment 22 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-02-17 08:51:42 UTC
alpha stable
Comment 23 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-02-17 08:52:24 UTC
ia64 stable
Comment 24 Yury German Gentoo Infrastructure gentoo-dev Security 2019-03-10 00:27:27 UTC
GLSA Vote: Yes
New GLSA Request filed.
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2019-03-14 01:42:13 UTC
This issue was resolved and addressed in
 GLSA 201903-13 at https://security.gentoo.org/glsa/201903-13
by GLSA coordinator Aaron Bauman (b-man).