copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2015.0046 - [NetBSD] bind: Denial of service - Remote/unauthenticated

Date: 09 January 2015
References: ESB-2014.2323  ESB-2014.2324  ESB-2014.2350  ESB-2014.2390  ESB-2014.2508  ESB-2015.0138.4  ESB-2015.0477  ESB-2015.0940  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0046
                  bind Denial of Service (CVE-2014-8500)
                              9 January 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          bind
Publisher:        NetBSD
Operating System: NetBSD
Impact/Access:    Denial of Service -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2014-8500  

Reference:        ESB-2014.2508
                  ESB-2014.2390
                  ESB-2014.2350
                  ESB-2014.2324
                  ESB-2014.2323

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2015-002
		=================================

Topic:		bind Denial of Service (CVE-2014-8500)


Version:	NetBSD-current:		source prior to Dec 10, 2014
		NetBSD 7 Beta:		affected
		NetBSD 6.1:		affected
		NetBSD 6.0:		affected
		NetBSD 5.2:		affected
		NetBSD 5.1:		affected

Severity:	Denial of Service

Fixed:		NetBSD-current:		Dec 11, 2014
		NetBSD-7 branch:	Jan 06, 2015
		NetBSD-6 branch:	Jan 06, 2015
		NetBSD-6-1 branch:	Jan 06, 2015
		NetBSD-6-0 branch:	Jan 06, 2015
		NetBSD-5 branch:	Dec 26, 2014
		NetBSD-5-2 branch:	Dec 26, 2014
		NetBSD-5-1 branch:	Dec 26, 2014

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

A lack of defense against arbitrarily long delegation chains
can be exploited to crash bind.

This primarily concerns resolvers that resolve third-party controlled
domains; authoritative servers can only be affected if an attacker can
control a delegation that the authoritative server needs to traverse
to service the zone.

This vulnerability has been assigned CVE-2014-8500.


Technical Details
=================

By making use of maliciously-constructed zones or a rogue server,
an attacker can exploit an oversight in the code BIND uses to follow
delegations in the Domain Name Service, causing BIND to issue unlimited
queries in an attempt to follow the delegation.  This can lead to
resource exhaustion and denial of service (up to and including
termination of the named server process.)

The fix introduces a config setting to determine at which length
named will stop following the delegation chain and return a failure
instead.


Solutions and Workarounds
=========================

There is no practical workaround (the impractical is not to try to
resolve malicious zones).

Solutions:
+ Install and use a bind package from pkgsrc.

+ Update named from a daily build later than the fix date: fetch from
  http://nyftp.NetBSD.org/pub/NetBSD-daily/<branch>/<date>/<arch>/
  the file binary/sets/base.tgz

  for all releases:
  cd / && tar xzpf <base.tgz-path> ./usr/sbin/named \
	./usr/lib/libbind9.so\* \
	./usr/lib/libisc.so\* \
	./usr/lib/libdns.so\* \
	./usr/lib/libisccfg.so\* \
	./usr/lib/liblwres.so\* \
	./usr/lib/libisccc.so\* 

  If you use debug or profiling libraries or build static binaries with
  bind libs, also install the updated versions from the comp.tgz or
  debug.tgz. 

+ Rebuild your system with the fixes applied.
  NetBSD-current, NetBSD-7, NetBSD-6:
  For better maintainability bind was updated to the latest ISC release
  of the bind branch.
  This means updating just the files containing the vulnerable code won't
  work. Updating src/external/bsd/bind also won't be enough since all
  the bind libraries got version bumps, and src/distrib/sets/lists/*
  will also need selective updates. For this reason, updating the entire
  src tree and recompiling is recommended.

  NetBSD-5:

  fixed versions are (relative to src/dist/bind):
  File                            netbsd-5     netbsd-5-2       netbsd-5-1
  bin/named/config.c              1.1.1.8.4.5  1.1.1.8.4.4.2.1  1.1.1.8.4.1.2.4
  bin/named/query.c               1.8.4.9      1.8.4.7.2.2      1.8.4.2.2.7
  bin/named/server.c              1.1.1.9.4.5  1.1.1.9.4.4.2.1  1.1.1.9.4.1.2.4
  lib/dns/adb.c                   1.6.4.5      1.6.4.4.2.1      1.6.4.1.2.4
  lib/dns/resolver.c              1.8.4.7      1.8.4.6.2.1      1.8.4.2.2.5
  lib/dns/include/dns/adb.h       1.1.1.5.4.4  1.1.1.5.4.3.2.1  1.1.1.5.12.4
  lib/dns/include/dns/resolver.h  1.1.1.5.4.5  1.1.1.5.4.4.2.1  1.1.1.5.4.1.2.4
  lib/export/isc/Makefile.in      1.1.2.4      1.1.2.3.2.1      1.1.4.5
  lib/isc/Makefile.in             1.1.1.6.4.5  1.1.1.6.4.4.2.1  1.1.1.6.4.1.2.4
  lib/isc/include/isc/Makefile.in 1.1.1.5.4.5  1.1.1.5.4.4.2.1  1.1.1.5.4.1.2.4
  lib/isc/include/isc/types.h     1.1.1.5.4.5  1.1.1.5.4.4.2.1  1.1.1.5.4.1.2.4
  lib/isccfg/namedconf.c          1.1.1.7.4.5  1.1.1.7.4.4.2.1  1.1.1.7.4.1.2.4
  lib/isc/counter.c               1.1.2.1      1.1.4.2          1.1.6.2
  lib/isc/include/isc/counter.h   1.1.2.1      1.1.4.2          1.1.6.2
  
  supporting files:
  src/lib/libisc/Makefile         1.2.4.3      1.2.4.2.2.1      1.2.4.1.2.2
  src/usr.sbin/bind/Makefile.inc  1.32.4.2     1.32.4.1.2.1     1.32.12.2

  To update from CVS, re-build and re-install the system:
        # cd src
        # cvs update -d -P -r VERSION FILE
        # cd lib/isc
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../dns
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../isccfg
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../../bin/named
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install


Thanks To
=========

Thanks to Florian Maury (ANSSI) for reporting this issue
and the ISC security team for their advisory
(https://kb.isc.org/article/AA-01216), which is cited by this
advisory.


Revision History
================

	2015-01-08	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-002.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2015, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2015-002.txt,v 1.1 2015/01/08 21:02:23 tonnerre Exp $

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUrvCMAAoJEAZJc6xMSnBuWqEP/1knhCOQEuvxqC9SBl3wWc//
ft5enLBImScO3ImloLJYeudB79vbtNInPKT940bLEJ5H3KPrb4XEn/tR9PwKYpqU
bLphpvS0Xa9vC3McV2Cm+dum62g197DsDHVHYSUSQhPPIT/TV+vpVi4OZn0BNXin
hIFPIRszHdrP6fLCNNjdU7CQ8r0/ZEexCWJ+5EAlpYFXj6n117S8lWl3ctpTXFhk
47ekUAyz5BqQxUxntPbt/klRJOqSqUxeKfeFgOCATdu3PGKhvvr9rT31A7bOwCaZ
hPvCMFZ9TmZY5OvtsoBTseosWG1R9kJL8hByQP1NFT39Kyu3Tf/A+mf3gt/MXJGT
uk7QTGkvqbffYOU69iSbdWwntbMUHub21CTkJfgKF57CSpvhj2QpwqhB6x+buqB7
MpLzXDxaXX/OJ5eP834Zp7hnjqiMh5C4VUveqQKGPZAx9HKwzw8w4r5CX/7csJzk
MFn5j+78GceOGyroA9cy42mbZqlut6ys9RYKrqgqSq4PFSt4kpRB/YpzAeEJ0UCd
2ca1zD55m07cIM8WeMkOJxU3ebCJgbA4ZJXKXQYdoBG8SUftXZxlukxJTWe/NRBI
oqri17ana3COpu+5ybxc0Y5eizrYrZPbCnOZw89bQdnphCOUdNrWG9Efm8t59iz7
BCyaTaPxTMCHbxfFMriC
=gNcZ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVK86fBLndAQH1ShLAQLr1Q//bqf2/s4wXUYm+MCnlldrug0o8QYvtQN1
ou8SGhEPOCNeoNtPE6a/5/RV6BH5TnRF+nqRXA+WJbus/M7WahgbktVhhGtUFick
IfVagOYtuRhOW7ZGFkLpiB4VLhRPdHnSYaOP2e4ezMNyOhvjVl2XpumuH+AUGjeS
U7MqEejq9eHzu9Vc5RttRzz0Lyk7nGWxw59wYzkHQitpI31cEsYeW6mKUdf9rOKV
ntaFkhGX6oHBeTXn3NMveW3aRUhZ0oSgw1qwO++irt5FmcpVAVDUU5/8G1S6nYeY
WbnQ6yt8wyz5L9XPsb5mLDaPOoWWF1icInyrkhakIa0cr6qMorIViIJbOhePGyFq
bcUvSdR3MRBP7qaDJN+TCKYyvkn8xdiYHgQoKCfepJZ9V9chERI8o3CBhl7vPLjr
MWPyDXcTCsr/455qIja4KqZ5HTAiWMne7TWGXnJPGjuafrOkYIUxDeqOFRi8bzej
PkFjfpiYAbB0KFHJu7/cMPoJqpAiCSL/aBKhTdm/Pq1lbs0la1A9K71A47vnt/Fu
8Q91RKeSBjeILQidI8gu7of3xoUcBZYhGS4a8WSiJqais6/m7vuyU9tkfcwf+0UI
ruwYFLpeexOKR8NcFGMZp3Lr8mCLoS1OZK2pGHNquK8CmHtlkLBO2qftuK2DJNql
UUuaqjfGQZk=
=uVl7
-----END PGP SIGNATURE-----