Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 623154 (CVE-2017-3142, CVE-2017-3143) - <net-dns/bind-9.11.1_p3: Multiple vulnerabilities
Summary: <net-dns/bind-9.11.1_p3: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-3142, CVE-2017-3143
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-30 09:57 UTC by Agostino Sarubbo
Modified: 2018-01-15 16:14 UTC (History)
3 users (show)

See Also:
Package list:
=net-dns/bind-9.11.1_p3 =net-dns/bind-tools-9.11.1_p3
Runtime testing required: Yes
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-06-30 09:57:51 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1466193:

An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND 
into accepting an unauthorized dynamic update. A server that relies solely on TSIG or SIG(0) keys with no other address-based ACL protection could be vulnerable to malicious zone content manipulation 
using this technique.

Workarounds:

The effects of this vulnerability can be mitigated by using Access Control Lists (ACLs) that require both address range validation and use of TSIG authentication in parallel. For information on how to 
configure this type of compound authentication control, please see:

https://kb.isc.org/article/AA-00723/0/Using-Access-Control-Lists-ACLs-with-both-addresses-and-keys.html.

Administrators who have made use of named.conf option "update-policy local;" should refer to the Administrator Reference Manual (ARM) for details of the automatic update policy that will be established 
and to assess whether or not this conveys any additional risk to their server. (Note that this option is not enabled by default).

Upstream patch:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=581c1526ab

External References:

https://kb.isc.org/article/AA-01503


From https://bugzilla.redhat.com/show_bug.cgi?id=1466189:

An attacker able to send and receive messages to an authoritative DNS server may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that 
relies solely on TSIG keys for protection with no other ACL protection could be manipulated into:

* providing an AXFR of a zone to an unauthorized recipient
* accepting bogus Notify packets

An unauthorized AXFR (full zone transfer) permits an attacker to view the entire contents of a zone.  Protection of zone contents is often a commercial or business requirement.

If accepted, a Notify sets the zone refresh interval to 'now'. If there is not already a refresh cycle in progress then named will initiate one by asking for the SOA RR from its list of masters.  If 
there is already a refresh cycle in progress, then named will queue the new refresh request.  If there is already a queued refresh request, the new Notify will be discarded. Bogus notifications can't be 
used to force a zone transfer from a malicious server, but could trigger a high rate of zone refresh cycles.


Workarounds:

The effects of this vulnerability can be mitigated by using Access Control Lists (ACLs) that require both address range validation and use of TSIG authentication in parallel. For information on how to 
configure this type of compound authentication control, please see:

https://kb.isc.org/article/AA-00723/0/Using-Access-Control-Lists-ACLs-with-both-addresses-and-keys.html.

(Note that this technique will not be effective against bogus Notify packets if an attacker is able to reach the target DNS server whilst using a spoofed sending address).


Upstream patch:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=581c1526ab

External References:

https://kb.isc.org/article/AA-01504


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2017-07-10 09:12:54 UTC
bind and bind-tools 9.11.1-P3 have just been added
Comment 2 D'juan McDonald (domhnall) 2017-08-25 16:10:41 UTC
@arches, please test and mark as stable, thank you!

Daj'Uan (mbailey_j)
Gentoo Security Scout
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2017-08-25 21:27:19 UTC
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-26 09:54:17 UTC
ia64 stable
Comment 5 Matt Turner gentoo-dev 2017-08-31 15:21:47 UTC
alpha stable
Comment 6 Markus Meier gentoo-dev 2017-09-05 04:39:01 UTC
arm stable
Comment 8 Thomas Deutschmann gentoo-dev Security 2017-09-11 21:02:55 UTC
x86 stable
Comment 9 Thomas Deutschmann gentoo-dev Security 2017-09-11 21:03:44 UTC
Re-adding amd64: You forgot to stabilize =net-dns/bind-tools-9.11.1_p3.
Comment 10 Thomas Deutschmann gentoo-dev Security 2017-09-11 21:04:01 UTC
Re-adding amd64: You forgot to stabilize =net-dns/bind-tools-9.11.1_p3.
Comment 11 Agostino Sarubbo gentoo-dev 2017-09-20 09:59:37 UTC
amd64 stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-25 21:15:13 UTC
ppc64 stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-25 21:37:57 UTC
ppc stable
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-26 22:22:13 UTC
sparc stable
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-20 02:37:45 UTC
HPPA was missed...
Comment 16 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-24 06:11:07 UTC
hppa stable
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-15 16:14:08 UTC
GLSA Vote: No

Tree is clean.