BSDSec

deadsimple BSD Security Advisories and Announcements

NetBSD Security Advisory 2015-002: bind Denial of Service (CVE-2014-8500)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2015-002
		=================================

Topic:		bind Denial of Service (CVE-2014-8500)


Version:	NetBSD-current:		source prior to Dec 10, 2014
		NetBSD 7 Beta:		affected
		NetBSD 6.1:		affected
		NetBSD 6.0:		affected
		NetBSD 5.2:		affected
		NetBSD 5.1:		affected

Severity:	Denial of Service

Fixed:		NetBSD-current:		Dec 11, 2014
		NetBSD-7 branch:	Jan 06, 2015
		NetBSD-6 branch:	Jan 06, 2015
		NetBSD-6-1 branch:	Jan 06, 2015
		NetBSD-6-0 branch:	Jan 06, 2015
		NetBSD-5 branch:	Dec 26, 2014
		NetBSD-5-2 branch:	Dec 26, 2014
		NetBSD-5-1 branch:	Dec 26, 2014

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

A lack of defense against arbitrarily long delegation chains
can be exploited to crash bind.

This primarily concerns resolvers that resolve third-party controlled
domains; authoritative servers can only be affected if an attacker can
control a delegation that the authoritative server needs to traverse
to service the zone.

This vulnerability has been assigned CVE-2014-8500.


Technical Details
=================

By making use of maliciously-constructed zones or a rogue server,
an attacker can exploit an oversight in the code BIND uses to follow
delegations in the Domain Name Service, causing BIND to issue unlimited
queries in an attempt to follow the delegation.  This can lead to
resource exhaustion and denial of service (up to and including
termination of the named server process.)

The fix introduces a config setting to determine at which length
named will stop following the delegation chain and return a failure
instead.


Solutions and Workarounds
=========================

There is no practical workaround (the impractical is not to try to
resolve malicious zones).

Solutions:
+ Install and use a bind package from pkgsrc.

+ Update named from a daily build later than the fix date: fetch from
  http://nyftp.NetBSD.org/pub/NetBSD-daily/<branch>/<date>/<arch>/
  the file binary/sets/base.tgz

  for all releases:
  cd / && tar xzpf <base.tgz-path> ./usr/sbin/named \
	./usr/lib/libbind9.so\* \
	./usr/lib/libisc.so\* \
	./usr/lib/libdns.so\* \
	./usr/lib/libisccfg.so\* \
	./usr/lib/liblwres.so\* \
	./usr/lib/libisccc.so\* 

  If you use debug or profiling libraries or build static binaries with
  bind libs, also install the updated versions from the comp.tgz or
  debug.tgz. 

+ Rebuild your system with the fixes applied.
  NetBSD-current, NetBSD-7, NetBSD-6:
  For better maintainability bind was updated to the latest ISC release
  of the bind branch.
  This means updating just the files containing the vulnerable code won't
  work. Updating src/external/bsd/bind also won't be enough since all
  the bind libraries got version bumps, and src/distrib/sets/lists/*
  will also need selective updates. For this reason, updating the entire
  src tree and recompiling is recommended.

  NetBSD-5:

  fixed versions are (relative to src/dist/bind):
  File                            netbsd-5     netbsd-5-2       netbsd-5-1
  bin/named/config.c              1.1.1.8.4.5  1.1.1.8.4.4.2.1  1.1.1.8.4.1.2.4
  bin/named/query.c               1.8.4.9      1.8.4.7.2.2      1.8.4.2.2.7
  bin/named/server.c              1.1.1.9.4.5  1.1.1.9.4.4.2.1  1.1.1.9.4.1.2.4
  lib/dns/adb.c                   1.6.4.5      1.6.4.4.2.1      1.6.4.1.2.4
  lib/dns/resolver.c              1.8.4.7      1.8.4.6.2.1      1.8.4.2.2.5
  lib/dns/include/dns/adb.h       1.1.1.5.4.4  1.1.1.5.4.3.2.1  1.1.1.5.12.4
  lib/dns/include/dns/resolver.h  1.1.1.5.4.5  1.1.1.5.4.4.2.1  1.1.1.5.4.1.2.4
  lib/export/isc/Makefile.in      1.1.2.4      1.1.2.3.2.1      1.1.4.5
  lib/isc/Makefile.in             1.1.1.6.4.5  1.1.1.6.4.4.2.1  1.1.1.6.4.1.2.4
  lib/isc/include/isc/Makefile.in 1.1.1.5.4.5  1.1.1.5.4.4.2.1  1.1.1.5.4.1.2.4
  lib/isc/include/isc/types.h     1.1.1.5.4.5  1.1.1.5.4.4.2.1  1.1.1.5.4.1.2.4
  lib/isccfg/namedconf.c          1.1.1.7.4.5  1.1.1.7.4.4.2.1  1.1.1.7.4.1.2.4
  lib/isc/counter.c               1.1.2.1      1.1.4.2          1.1.6.2
  lib/isc/include/isc/counter.h   1.1.2.1      1.1.4.2          1.1.6.2
  
  supporting files:
  src/lib/libisc/Makefile         1.2.4.3      1.2.4.2.2.1      1.2.4.1.2.2
  src/usr.sbin/bind/Makefile.inc  1.32.4.2     1.32.4.1.2.1     1.32.12.2

  To update from CVS, re-build and re-install the system:
        # cd src
        # cvs update -d -P -r VERSION FILE
        # cd lib/isc
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../dns
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../isccfg
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../../bin/named
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install


Thanks To
=========

Thanks to Florian Maury (ANSSI) for reporting this issue
and the ISC security team for their advisory
(https://kb.isc.org/article/AA-01216), which is cited by this
advisory.


Revision History
================

	2015-01-08	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-002.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2015, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2015-002.txt,v 1.1 2015/01/08 21:02:23 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUrvCMAAoJEAZJc6xMSnBuWqEP/1knhCOQEuvxqC9SBl3wWc//
ft5enLBImScO3ImloLJYeudB79vbtNInPKT940bLEJ5H3KPrb4XEn/tR9PwKYpqU
bLphpvS0Xa9vC3McV2Cm+dum62g197DsDHVHYSUSQhPPIT/TV+vpVi4OZn0BNXin
hIFPIRszHdrP6fLCNNjdU7CQ8r0/ZEexCWJ+5EAlpYFXj6n117S8lWl3ctpTXFhk
47ekUAyz5BqQxUxntPbt/klRJOqSqUxeKfeFgOCATdu3PGKhvvr9rT31A7bOwCaZ
hPvCMFZ9TmZY5OvtsoBTseosWG1R9kJL8hByQP1NFT39Kyu3Tf/A+mf3gt/MXJGT
uk7QTGkvqbffYOU69iSbdWwntbMUHub21CTkJfgKF57CSpvhj2QpwqhB6x+buqB7
MpLzXDxaXX/OJ5eP834Zp7hnjqiMh5C4VUveqQKGPZAx9HKwzw8w4r5CX/7csJzk
MFn5j+78GceOGyroA9cy42mbZqlut6ys9RYKrqgqSq4PFSt4kpRB/YpzAeEJ0UCd
2ca1zD55m07cIM8WeMkOJxU3ebCJgbA4ZJXKXQYdoBG8SUftXZxlukxJTWe/NRBI
oqri17ana3COpu+5ybxc0Y5eizrYrZPbCnOZw89bQdnphCOUdNrWG9Efm8t59iz7
BCyaTaPxTMCHbxfFMriC
=gNcZ
-----END PGP SIGNATURE-----