ESB-2018.1536 - [Win][UNIX/Linux] BIND: Denial of service - Remote/unauthenticated 2018-05-21

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1536
        Two denial of service vulnerabilities patched in BIND 9.12
                                21 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BIND
Publisher:         ISC
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-5737 CVE-2018-5736 

Original Bulletin: 
   https://kb.isc.org/article/AA-01602/0
   https://kb.isc.org/article/AA-01606/0

Comment: This bulletin contains two (2) ISC security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2018-5736: Multiple transfers of a zone in quick succession can
cause an assertion failure in rbtdb.c

Author: Michael McNally
Number: AA-01602 Views: 3059
Created: 2018-05-18 09:11
Last Updated: 2018-05-18 18:01

CVE: CVE-2018-5736
Document Version: 2.0
Posting date: 18 May 2018
Program Impacted: BIND
Versions affected: 9.12.0 and 9.12.1
Severity: Medium
Exploitable: Remotely, if an attacker can trigger a zone transfer

Description:

An error in zone database reference counting can lead to an assertion
failure if a server which is running an affected version of BIND
attempts several transfers of a slave zone in quick succession.

This defect could be deliberately exercised by an attacker who is
permitted to cause a vulnerable server to initiate zone transfers
(for example: by sending valid NOTIFY messages), causing the named
process to exit after failing the assertion test.

Impact:

Authoritative servers that serve slave zones are vulnerable to
potential denial of service if all of the following are true:

  * they are running an affected version of BIND (BIND 9.12.0 or
    9.12.1)
  * at least one of the zones for which they are providing service is
    of type "slave"
  * they permit NOTIFY messages from any source.

CVSS Score:  5.3

CVSS Vector:  CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit: https://
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/
C:N/I:N/A:H

Workarounds:

For servers which must receive notifies to keep slave zone contents
current, no complete workarounds are known although restricting BIND
to only accept NOTIFY messages from authorized sources can greatly
mitigate the risk of attack.
                                                                      
Active exploits:
                                                                      
No known active exploits.                                             

Solution:                                                             
                                                                      
The reference counting error which can be exploited in this           
vulnerability is present in only two public release versions of BIND, 
9.12.0 and 9.12.1.                                                    
                                                                      
If you are running an affected version then upgrade to BIND 9.12.1-P1 
                                                                      
Acknowledgements:
                                                                      
ISC would like to thank SWITCH for informing us of this
vulnerability.

Document Revision History:

1.0 Advance Notification 09 May 2018
2.0 Public Disclosure 18 May 2018

Related Documents:

See our BIND9 Security Vulnerability Matrix at https://kb.isc.org/
article/AA-00913 for a complete listing of Security Vulnerabilities
and versions affected.

Do you still have questions?  Questions regarding this advisory
should go to security-officer@isc.org.  To report a new issue, please
encrypt your message using security-officer@isc.org's PGP key which
can be found here: https://www.isc.org/downloads/
software-support-policy/openpgp-key/.  If you are unable to use
encrypted email, you may also report new issues at: https://
www.isc.org/community/report-bug/.

Note:

ISC patches only currently supported versions. When possible we
indicate EOL versions affected.  (For current information on which
versions are actively supported, please see http://www.isc.org/
downloads/). 

- --------------------------------------------------------------------------------

CVE-2018-5737: BIND 9.12's serve-stale implementation can cause an
assertion failure in rbtdb.c or other undesirable behavior, even if
serve-stale is not enabled.

Author: Michael McNally
Reference Number: AA-01606
Created: 2018-05-18 10:14
Last Updated: 2018-05-18 18:03                         

CVE: CVE-2018-5737
Document Version: 2.0
Posting date: 18 May 2018
Program Impacted: BIND
Versions affected: 9.12.0, 9.12.1
Severity: Medium
Exploitable: Remotely

Description:

A problem with the implementation of the new serve-stale feature in 
BIND 9.12 can lead to an assertion failure in rbtdb.c, even when
stale-answer-enable is off.  Additionally, problematic interaction
between the serve-stale feature and NSEC aggressive negative caching
can in some cases cause undesirable behavior from named, such as a
recursion loop or excessive logging.

Deliberate exploitation of this condition could cause operational
problems depending on the particular manifestation -- either
degradation or denial of service.

Impact:

Servers running a vulnerable version of BIND (9.12.0, 9.12.1) which
permit recursion to clients and which have the max-stale-ttl
parameter set to a non-zero value are at risk.

CVSS Score:  5.9

CVSS Vector:  CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit: https://
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/
C:N/I:N/A:H

Workarounds:

Setting "max-stale-ttl 0;" in named.conf will prevent exploitation of
this vulnerability (but will effectively disable the serve-stale
feature.)

Setting "stale-answer enable off;" is not sufficient to prevent
exploitation, max-stale-ttl needs to be set to zero.

Active exploits:

No known active exploits.                                             

Solution:
                                                                      
The error which can be exploited in this vulnerability is present in
only two public release versions of BIND, 9.12.0 and 9.12.1.  If you  
are running an affected version then upgrade to BIND 9.12.1-P2        
                                                                      
Acknowledgements:                                                     
                                                                      
ISC would like to thank Tony Finch of the University of Cambridge for 
his assistance in discovering and analyzing this vulnerability.       
                                                                      
Document Revision History:
                                                                      
1.0 Advance Notification, 09 May 2018
1.1 BIND 9.12.1-P1 was recalled before public announcement due to
defect, the advisory language was re-written to be clearer about the
exploit risk, and the public disclosure date was adjusted because of
the problem with 9.12.1-P1, 17 May 2018
2.0 Public Disclosure, 18 May 2018

Related Documents:

See our BIND9 Security Vulnerability Matrix at https://kb.isc.org/
article/AA-00913 for a complete listing of Security Vulnerabilities
and versions affected.

If you'd like more information on ISC Subscription Support and
Advance Security Notifications, please visit http://www.isc.org/
support/.

Do you still have questions?  Questions regarding this advisory
should go to security-officer@isc.org.  To report a new issue, please
encrypt your message using security-officer@isc.org's PGP key which
can be found here: https://www.isc.org/downloads/
software-support-policy/openpgp-key/.  If you are unable to use
encrypted email, you may also report new issues at: https://
www.isc.org/community/report-bug/.

Note:

ISC patches only currently supported versions. When possible we
indicate EOL versions affected.  (For current information on which
versions are actively supported, please see http://www.isc.org/
downloads/). 

ISC Security Vulnerability Disclosure Policy:

Details of our current security advisory policy and practice can be
found here: https://kb.isc.org/article/AA-00861/164/
ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html

This Knowledge Base article https://kb.isc.org/article/AA-01606 is
the complete and official security advisory document.

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an "AS
IS" basis. No warranty or guarantee of any kind is expressed in this
notice and none should be implied. ISC expressly excludes and
disclaims any warranties regarding this notice or materials referred
to in this notice, including, without limitation, any implied
warranty of merchantability, fitness for a particular purpose,
absence of hidden defects, or of non-infringement. Your use or
reliance on this notice or materials referred to in this notice is at
your own risk. ISC may change this notice at any time.  A stand-alone
copy or paraphrase of the text of this document that omits the
document URL is an uncontrolled copy. Uncontrolled copies may lack
important information, be out of date, or contain factual errors.

c 2001-2018 Internet Systems Consortium
For assistance with problems
and questions for which you have not been able to find an answer in
our Knowledge Base, we recommend searching our community mailing list
archives and/or posting your question there (you will need to
register there first for your posts to be accepted). The bind-users
and the dhcp-users lists particularly have a long-standing and active
membership.ISC relies on the financial support of the community to
fund the development of its open source software products. If you
would like to support future product evolution and maintenance as
well having peace of mind knowing that our team of experts are poised
to provide you with individual technical assistance whenever you call
upon them, then please consider our Professional Subscription Support
services - details can be found on our main website.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWwIFGYx+lLeg9Ub1AQjxsQ/+KMbM4Ykh9fk9oQ2huvvOL/xO0JQBxUAW
br2hioVLL2S4sKAEGtrEt6yhb6BmIYhBr0s6mluUqu+bQZ2CdYc3fzakDkmQ/aJh
sC8PLHSbN/euDGF6oYFdDaVP9wmMc1SN2FTpEWsLCQk1uvzJ3OAtO+iqimy57ePr
FCdsFOmC9I8+fmnCzJZ4W90QsNJiTefJm9pBciqF5jJ5bPHi9eWrJKPEYU9jYNLE
a/g71DDOFawsm/USYZ0qNMHga/MyfR7u+/VORQn8QQ+45V1yRGl9lTg6Y13Cxy0O
N00v8Ge02BnjsEpIyVRWyVJYOL4x3z7ZjdtaOnZCDD6YcbzixQ+sMc/pxf3mUOLE
30iHUhX9uVLf6iIzKuNalP9pI+vwIK7+ovf89KXuIm9Yd+f/qFn8l1xao9vEODib
ptKV3XV0gTHCkya9KeAIuUBv3vrSHXRPU8VJ+ReL9+6hGz833lmRd1Ggx3vIT5sh
4lOF4j1qOhVB2OwynORlJJOMA+2sJInTIlwZk5EX/7hvCVAzRaXyZapFMSDly6/y
pjKfWDV385IiPaiG4qjyHVWZm6r1M+dgw89/gw4N3ZB6uFA75dROXy3lCk1Gkd5m
GRHqQ7wSWS6b7TR4gYXIz9mKEtHzrBRdmq7WpJvByXcW3LHwvw4aAPTCT24pP6//
lopxmMDqq9o=
=/9RH
-----END PGP SIGNATURE-----

« Back to bulletins