NetBSD Security Advisory 2015-002: bind Denial of Service (CVE-2014-8500)
8 January, 2015 by security-officer@NetBSD.org | netbsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2015-002 ================================= Topic: bind Denial of Service (CVE-2014-8500) Version: NetBSD-current: source prior to Dec 10, 2014 NetBSD 7 Beta: affected NetBSD 6.1: affected NetBSD 6.0: affected NetBSD 5.2: affected NetBSD 5.1: affected Severity: Denial of Service Fixed: NetBSD-current: Dec 11, 2014 NetBSD-7 branch: Jan 06, 2015 NetBSD-6 branch: Jan 06, 2015 NetBSD-6-1 branch: Jan 06, 2015 NetBSD-6-0 branch: Jan 06, 2015 NetBSD-5 branch: Dec 26, 2014 NetBSD-5-2 branch: Dec 26, 2014 NetBSD-5-1 branch: Dec 26, 2014 Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A lack of defense against arbitrarily long delegation chains can be exploited to crash bind. This primarily concerns resolvers that resolve third-party controlled domains; authoritative servers can only be affected if an attacker can control a delegation that the authoritative server needs to traverse to service the zone. This vulnerability has been assigned CVE-2014-8500. Technical Details ================= By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation. This can lead to resource exhaustion and denial of service (up to and including termination of the named server process.) The fix introduces a config setting to determine at which length named will stop following the delegation chain and return a failure instead. Solutions and Workarounds ========================= There is no practical workaround (the impractical is not to try to resolve malicious zones). Solutions: + Install and use a bind package from pkgsrc. + Update named from a daily build later than the fix date: fetch from http://nyftp.NetBSD.org/pub/NetBSD-daily/<branch>/<date>/<arch>/ the file binary/sets/base.tgz for all releases: cd / && tar xzpf <base.tgz-path> ./usr/sbin/named \ ./usr/lib/libbind9.so\* \ ./usr/lib/libisc.so\* \ ./usr/lib/libdns.so\* \ ./usr/lib/libisccfg.so\* \ ./usr/lib/liblwres.so\* \ ./usr/lib/libisccc.so\* If you use debug or profiling libraries or build static binaries with bind libs, also install the updated versions from the comp.tgz or debug.tgz. + Rebuild your system with the fixes applied. NetBSD-current, NetBSD-7, NetBSD-6: For better maintainability bind was updated to the latest ISC release of the bind branch. This means updating just the files containing the vulnerable code won't work. Updating src/external/bsd/bind also won't be enough since all the bind libraries got version bumps, and src/distrib/sets/lists/* will also need selective updates. For this reason, updating the entire src tree and recompiling is recommended. NetBSD-5: fixed versions are (relative to src/dist/bind): File netbsd-5 netbsd-5-2 netbsd-5-1 bin/named/config.c 1.1.1.8.4.5 1.1.1.8.4.4.2.1 1.1.1.8.4.1.2.4 bin/named/query.c 1.8.4.9 1.8.4.7.2.2 1.8.4.2.2.7 bin/named/server.c 1.1.1.9.4.5 1.1.1.9.4.4.2.1 1.1.1.9.4.1.2.4 lib/dns/adb.c 1.6.4.5 1.6.4.4.2.1 1.6.4.1.2.4 lib/dns/resolver.c 1.8.4.7 1.8.4.6.2.1 1.8.4.2.2.5 lib/dns/include/dns/adb.h 1.1.1.5.4.4 1.1.1.5.4.3.2.1 1.1.1.5.12.4 lib/dns/include/dns/resolver.h 1.1.1.5.4.5 1.1.1.5.4.4.2.1 1.1.1.5.4.1.2.4 lib/export/isc/Makefile.in 1.1.2.4 1.1.2.3.2.1 1.1.4.5 lib/isc/Makefile.in 1.1.1.6.4.5 1.1.1.6.4.4.2.1 1.1.1.6.4.1.2.4 lib/isc/include/isc/Makefile.in 1.1.1.5.4.5 1.1.1.5.4.4.2.1 1.1.1.5.4.1.2.4 lib/isc/include/isc/types.h 1.1.1.5.4.5 1.1.1.5.4.4.2.1 1.1.1.5.4.1.2.4 lib/isccfg/namedconf.c 1.1.1.7.4.5 1.1.1.7.4.4.2.1 1.1.1.7.4.1.2.4 lib/isc/counter.c 1.1.2.1 1.1.4.2 1.1.6.2 lib/isc/include/isc/counter.h 1.1.2.1 1.1.4.2 1.1.6.2 supporting files: src/lib/libisc/Makefile 1.2.4.3 1.2.4.2.2.1 1.2.4.1.2.2 src/usr.sbin/bind/Makefile.inc 1.32.4.2 1.32.4.1.2.1 1.32.12.2 To update from CVS, re-build and re-install the system: # cd src # cvs update -d -P -r VERSION FILE # cd lib/isc # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../dns # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../isccfg # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../bin/named # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Thanks to Florian Maury (ANSSI) for reporting this issue and the ISC security team for their advisory (https://kb.isc.org/article/AA-01216), which is cited by this advisory. Revision History ================ 2015-01-08 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-002.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2015-002.txt,v 1.1 2015/01/08 21:02:23 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUrvCMAAoJEAZJc6xMSnBuWqEP/1knhCOQEuvxqC9SBl3wWc// ft5enLBImScO3ImloLJYeudB79vbtNInPKT940bLEJ5H3KPrb4XEn/tR9PwKYpqU bLphpvS0Xa9vC3McV2Cm+dum62g197DsDHVHYSUSQhPPIT/TV+vpVi4OZn0BNXin hIFPIRszHdrP6fLCNNjdU7CQ8r0/ZEexCWJ+5EAlpYFXj6n117S8lWl3ctpTXFhk 47ekUAyz5BqQxUxntPbt/klRJOqSqUxeKfeFgOCATdu3PGKhvvr9rT31A7bOwCaZ hPvCMFZ9TmZY5OvtsoBTseosWG1R9kJL8hByQP1NFT39Kyu3Tf/A+mf3gt/MXJGT uk7QTGkvqbffYOU69iSbdWwntbMUHub21CTkJfgKF57CSpvhj2QpwqhB6x+buqB7 MpLzXDxaXX/OJ5eP834Zp7hnjqiMh5C4VUveqQKGPZAx9HKwzw8w4r5CX/7csJzk MFn5j+78GceOGyroA9cy42mbZqlut6ys9RYKrqgqSq4PFSt4kpRB/YpzAeEJ0UCd 2ca1zD55m07cIM8WeMkOJxU3ebCJgbA4ZJXKXQYdoBG8SUftXZxlukxJTWe/NRBI oqri17ana3COpu+5ybxc0Y5eizrYrZPbCnOZw89bQdnphCOUdNrWG9Efm8t59iz7 BCyaTaPxTMCHbxfFMriC =gNcZ -----END PGP SIGNATURE-----