Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1756.2 Some versions of BIND can improperly permit recursive query service to unauthorized clients 11 July 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIND Publisher: ISC Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-5738 Original Bulletin: https://kb.isc.org/article/AA-01616/0/ https://kb.isc.org/article/AA-01632/81/BIND-9.9.13-Release-Notes.html https://kb.isc.org/article/AA-01633/81/BIND-9.10.8-Release-Notes.html https://kb.isc.org/article/AA-01634/81/BIND-9.11.4-Release-Notes.html https://kb.isc.org/article/AA-01635/81/BIND-9.12.2-Release-Notes.html Comment: This bulletin contains five (5) ISC security advisories. Revision History: July 11 2018: Patched in maintenance releases 9.9.13, 9.10.8, 9.11.4 and 9.12.2. June 13 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Please note that for this vulnerability ISC is not issuing replacement software releases. Safe, effective, and side-effect-free configuration workarounds are available for those whose configurations are affected. The vulnerability will be fixed in upcoming maintenance releases so that it cannot recur, but until maintenance releases containing the fix are released we recommend use of any of the options listed in the workarounds section. If using the configuration workarounds is impractical for you, you may request a patch diff containing an advance version of the fix by sending e-mail to security-officer at isc.org - ----- CVE: CVE-2018-5738 Document Version: 2.0 Posting date: 12 June 2018 Program Impacted: BIND Versions affected: 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition. Severity: Medium Exploitable: Remotely Description: Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the "allow-recursion" setting, it SHOULD default to one of the following: + none, if "recursion no;" is set in named.conf, or + a value inherited from the "allow-query-cache" or "allow-query" settings IF "recursion yes;" (the default for that setting) AND match lists are explicitly set for "allow-query-cache" or "allow-query" (see the BIND9 Administrative Reference Manual section 6.2 for more details), or + the intended default of "allow-recursion {localhost; localnets;};" if "recursion yes;" is in effect and no values are explicitly set for "allow-query-cache" or "allow-query". However, because of the regression introduced by change #4777, it is possible when "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query" for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients. Impact: There are several potential problems which can be caused by improperly permitting recursive service to unauthorized clients, including: + Additional queries from unauthorized clients may increase the load on a server, possibly degrading service to authorized clients. + Allowing queries from unauthorized clients can potentially allow a server to be co-opted for use in DNS reflection attacks. + An attacker may be able to deduce which queries a server has previously serviced by examining the results of queries answered from the cache, potentially leaking private information about what queries have been performed. CVSS Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Workarounds: A number of configuration workarounds are available which completely avoid the problem. If an operator has not chosen to specify some other permission, explicitly specifying "allow-query {localnets; localhost;};" in named.conf will provide behavior equivalent to the intended default. If the default setting is not appropriate (because the operator wants a different behavior) then depending on which clients are intended to be able to receive service for recursive queries, explicitly setting a match list value for any of: + allow-recursion + allow-query + allow-query-cache will prevent the "allow-recursion" control from improperly inheriting a setting from the allow-query default. If a value is set for any of those values the behavior of allow-recursion will be set directly or inherited from one of the other values as described in the BIND Adminstrator Reference Manual section 6.2 Servers which are not intended to perform recursion at all may also effectively prevent this condition by setting "recursion no;" in named.conf Active exploits: We are not aware of any exploits deliberately targeting this specific defect but it is not uncommon for scanners to search for open resolvers for use in reflection attacks and other mischief. We have at least one report from an operator who discovered that unauthorized clients were successfully making queries to his server and it is reasonable to assume that other servers with similar configurations may be currently affected although their operators are unaware. Solution: Future maintenance releases of BIND will correct the regression which introduced this issue but ISC does not believe that replacement security releases of BIND are required, given that several easy, safe, and completely effective configuration workarounds are available for any operators with affected configurations. However, an advance version of the patch diff which will be applied to future versions is available upon request to security-officer at isc.org and a correction for the behavior in question will debut in the release candidates for BIND 9.9.13, BIND 9.10.8, BIND 9.11.4, and BIND 9.12.2. Acknowledgements: ISC would like to thank Andrew Skalski for reporting this issue. Document Revision History: 1.0 Advance Notification 06 June 2018 2.0 Public disclosure 12 June 2018 Related Documents: See our BIND9 Security Vulnerability Matrix at https://kb.isc.org/article/AA-00913 for a complete listing of Security Vulnerabilities and versions affected. If you'd like more information on ISC Subscription Support and Advance Security Notifications, please visit http://www.isc.org/support/. Do you still have questions? Questions regarding this advisory should go to security-officer at isc.org. To report a new issue, please encrypt your message using security-officer at isc.org's PGP key which can be found here: https://www.isc.org/downloads/software-support-policy/openpgp-key/ If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/community/report-bug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. (For current information on which versions are actively supported, please see http://www.isc.org/downloads/). ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://kb.isc.org/article/AA-00861 This Knowledge Base article https://kb.isc.org/article/AA-01616 is the complete and official security advisory document. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. (c) 2001-2018 Internet Systems Consortium - -------------------------------------------------------------------------------- BIND 9.9.13 Release Notes Author: Michael McNally Reference Number: AA-01632 Created: 2018-07-11 02:58 Last Updated: 2018-07-11 03:03 Introduction This document summarizes significant changes since the last production release of BIND on the corresponding major release branch. Please see the CHANGES file for a further list of bug fixes and other changes. Download The latest versions of BIND 9 software can always be found at http://www.isc.org/ downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Legacy Windows No Longer Supported As of BIND 9.9.11, Windows XP and Windows 2003 are no longer supported platforms for BIND; "XP" binaries are no longer available for download from ISC. Security Fixes * When recursion is enabled but the allow-recursion and allow-query-cache ACLs are not specified, they should be limited to local networks, but they were inadvertently set to match the default allow-query, thus allowing remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] New Features * named now supports the "root key sentinel" mechanism. This enables validating resolvers to indicate which Quick Jump Menu trust anchors are configured for the root, so that information about root key rollover status can be gathered. To disable this feature, add root-key-sentinel no; to named.conf. Feature Changes * None. Bug Fixes * named now rejects excessively large incremental (IXFR) zone transfers in order to prevent possible corruption of journal files which could cause named to abort when loading zones. [GL #339] * rndc reload could cause named to leak memory if it was invoked before the zone loading actions from a previous rndc reload command were completed. [RT #47076] End of Life BIND 9.9 (Extended Support Version) will be supported until June, 2018, at which time this final maintenance release will be published for the branch. The new Extended Support Version is BIND 9.11, which will be supported until at least December, 2021. See https://www.isc.org/ downloads/software-support-policy/ for details of ISC's software support policy. - -------------------------------------------------------------------------------- BIND 9.10.8 Release Notes Author: Michael McNally Reference Number: AA-01633 Created: 2018-07-11 02:50 Last Updated: 2018-07-11 03:02 Introduction This document summarizes changes since the last production release on the BIND 9.10 branch. Please see the CHANGES file for a further list of bug fixes and other changes. Download The latest versions of BIND 9 software can always be found at http://www.isc.org/ downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Legacy Windows No Longer Supported As of BIND 9.10.6, Windows XP and Windows 2003 are no longer supported platforms for BIND; "XP" binaries are no longer available for download from ISC. Security Fixes * When recursion is enabled but the allow-recursion and allow-query-cache ACLs are not specified, they should be limited to local networks, but they were inadvertently set to match the default allow-query, thus allowing remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] New Features * named now supports the "root key sentinel" mechanism. This enables validating resolvers to indicate which trust anchors are configured for the root, so that information about root key rollover status can be gathered. To disable this feature, add root-key-sentinel no; to named.conf. [GL #37] Feature Changes * None. Bug Fixes * named now rejects excessively large incremental (IXFR) zone transfers in order to prevent possible corruption of journal files which could cause named to abort when loading zones. [GL #339] * rndc reload could cause named to leak memory if it was invoked before the zone loading actions from a previous rndc reload command were completed. [RT #47076] End of Life BIND 9.10 will be supported until June, 2018, at which time this final maintenance release will be published for the branch. For those needing long-term support, the current Extended Support Version is BIND 9.11, which will be supported until at least December, 2021. The current stable branch is BIND 9.12. See https:// www.isc.org/downloads/ software-support-policy/ for details of ISC's software support policy. - -------------------------------------------------------------------------------- BIND 9.11.4 Release Notes Author: Michael McNally Reference Number: AA-01634 Created: 2018-07-11 02:51 Last Updated: 2018-07-11 03:03 Introduction This document summarizes changes since the last production release on the BIND 9.11 (Extended Support Version) branch. Please see the CHANGES file for a further list of bug fixes and other changes. Download The latest versions of BIND 9 software can always be found at http://www.isc.org/ downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. License Change With the release of BIND 9.11.0, ISC changed to the open source license for BIND from the ISC license to the Mozilla Public License (MPL 2.0). The MPL-2.0 license requires that if you make changes to licensed software (e.g. BIND) and distribute them outside your organization, that you publish those changes under that same license. It does not require that you publish or disclose anything other than the changes you made to our software. This requirement will not affect anyone who is using BIND, with or without modifications, without redistributing it, nor anyone redistributing it without changes. Therefore, this change will be without consequence for most individuals and organizations who are using BIND. Those unsure whether or not the license change affects their use of BIND, or who wish to discuss how to comply with the license may contact ISC at https:// www.isc.org/mission/contact/. Legacy Windows No Longer Supported As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported platforms for BIND; "XP" binaries are no longer available for download from ISC. Security Fixes * When recursion is enabled but the allow-recursion and allow-query-cache ACLs are not specified, they should be limited to local networks, but they were inadvertently set to match the default allow-query, thus allowing remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] New Features * named now supports the "root key sentinel" mechanism. This enables validating resolvers to indicate which trust anchors are configured for the root, so that information about root key rollover status can be gathered. To disable this feature, add root-key-sentinel no; to named.conf. * Added the ability not to return a DNS COOKIE option when one is present in the request. To prevent a cookie being returned, add answer-cookie no; to named.conf. [GL #173] answer-cookie no is only intended as a temporary measure, for use when named shares an IP address with other servers that do not yet support DNS COOKIE. A mismatch between servers on the same address is not expected to cause operational problems, but the option to disable COOKIE responses so that all servers have the same behavior is provided out of an abundance of caution. DNS COOKIE is an important security mechanism, and should not be disabled unless absolutely necessary. Removed Features * named will now log a warning if the old BIND now can be compiled against libidn2 library to add IDNA2008 support. Previously BIND only supported IDNA2003 using (now obsolete) idnkit-1 library. Feature Changes * dig +noidnin can be used to disable IDN processing on the input domain name, when BIND is compiled with IDN support. * Multiple cookie-secret clause are now supported. The first cookie-secret in named.conf is used to generate new server cookies. Any others are used to accept old server cookies or those generated by other servers using the matching cookie-secret. Bug Fixes * named now rejects excessively large incremental (IXFR) zone transfers in order to prevent possible corruption of journal files which could cause named to abort when loading zones. [GL #339] * rndc reload could cause named to leak memory if it was invoked before the zone loading actions from a previous rndc reload command were completed. [RT #47076] End of Life BIND 9.11 (Extended Support Version) will be supported until at least December, 2021. See https://www.isc.org/downloads/ software-support-policy/ for details of ISC's software support policy. - -------------------------------------------------------------------------------- BIND 9.12.2 Release Notes Author: Michael McNally Reference Number: AA-01635 Created: 2018-07-11 02:58 Last Updated: 2018-07-11 02:58 Introduction This document summarizes changes since the last production release on the BIND 9.12 branch. Please see the CHANGES for a further list of bug fixes and other changes. Download The latest versions of BIND 9 software can always be found at http://www.isc.org/ downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Security Fixes * When recursion is enabled but the allow-recursion and allow-query-cache ACLs are not specified, they should be limited to local networks, but they were inadvertently set to match the default allow-query, thus allowing remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] * The serve-stale feature could cause an assertion failure in rbtdb.c even when stale-answer-enable was false. The simultaneous use of stale cache records and NSEC aggressive negative caching could trigger a recursion loop in the named process. This flaw is disclosed in CVE-2018-5737. [GL #185] * A bug in zone database reference counting could lead to a crash when multiple versions of a slave zone were transferred from a master in close succession. This flaw is disclosed in CVE-2018-5736. [GL #134] New Features * update-policy rules that otherwise ignore the name field now require that it be set to "." to ensure that any type list present is properly interpreted. Previously, if the name field was omitted from the rule declaration but a type list was present, it wouldn't be interpreted as expected. * named now supports the "root key sentinel" mechanism. This enables validating resolvers to indicate which trust anchors are configured for the root, so that information about root key rollover status can be gathered. To disable this feature, add root-key-sentinel no; to named.conf. [GL #37] * Add the ability to not return a DNS COOKIE option when one is present in the request. To prevent a cookie being returned add answer-cookie no; to named.conf. [GL #173] answer-cookie no is only intended as a temporary measure, for use when named shares an IP address with other servers that do not yet support DNS COOKIE. A mismatch between servers on the same address is not expected to cause operational problems, but the option to disable COOKIE responses so that all servers have the same behavior is provided out of an abundance of caution. DNS COOKIE is an important security mechanism, and should not be disabled unless absolutely necessary. Feature Changes * BIND now can be compiled against libidn2 library to add IDNA2008 support. Previously BIND only supported IDNA2003 using (now obsolete) idnkit-1 library. * dig +noidnin can be used to disable IDN processing on the input domain name, when BIND is compiled with IDN support. Bug Fixes * named now rejects excessively large incremental (IXFR) zone transfers in order to prevent possible corruption of journal files which could cause named to abort when loading zones. [GL #339] License BIND is open source software licenced under the terms of the Mozilla Public License, version 2.0 (see the LICENSE file for the full text). The license requires that if you make changes to BIND and distribute them outside your organization, those changes must be published under the same license. It does not require that you publish or disclose anything other than the changes you have made to our software. This requirement does not affect anyone who is using BIND, with or without modifications, without redistributing it, nor anyone redistributing BIND without changes. Those wishing to discuss license compliance may contact ISC at https:// www.isc.org/mission/contact/. End of Life The end-of-life date for BIND 9.12 has not yet been determined. However, it is not intended to be an Extended Support Version (ESV) branch; accordingly, support will end after the next stable branch (9.14) becomes available. Those needing a longer-lived branch are encouraged to use the current ESV, BIND 9.11, which will be supported until December 2021. See https:/ /www.isc.org/downloads/ software-support-policy/ for details of ISC's software support policy. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW0WXvmaOgq3Tt24GAQi47xAAjzpHwx8W0x0q6xaq7Ugm0kq97czhRStd aybb2HoOGLAKT96qygOMCTohJxy6GQzulP8ZBCcMW8iUrNCEUJyX1KTQOkr4tDg+ pl2I7AehN7wKJipisLt6GsnNzCag7ZeYrBLDROftoDQ1Jm9I4xIz0Xe3QvQqN7Rh 1/wUSKwSn3ej9qp1kqIXMLrwCxJ+sR2vP/zbGKSpvW7zHGhiRtQa8uPNf7i08kxZ 4RPegp2mIoPvDtbLmB4f2gpqrDQePgL0t47VdpmB+udTT1kdiL5dAcPFEP3ZIoSe tjF1oX6WQi180GgzXoB4FqpcnNxcQORF/31EyGmxFjaD8Sm0CEoF5YGFVdsJ7hLk znGYWetJjVlIReFQW+CMWDcODmDy256+LDyOVFcyI2hdutgUIcStlsn3G53ujG+b vnfzaSiByrZMzJBBt6SqPuNwfHxmaQl/9TWaGi6o2TcrH02zoXIj9gYFvCVgOGRB w1TwwarQU4VfmVG+HitvxJ+CGGaMpLx7qVPM7UF1HoA48epMYrCLEdL4jo8HkgoP 4pFauzH3/1Xl0oIfdwBCNlqZoVgMkQ/uN/hO63mNBb9NNgFuYp8pAcyPmQ14D7tB o4t8JZXuQhFomc5Sw7T+dCLroRxpJbl5NTCRKug/C2Z+Op3kHph+lAXtvM5kYW0+ O5/fseH/fig= =i1a8 -----END PGP SIGNATURE-----