Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0046 bind Denial of Service (CVE-2014-8500) 9 January 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: bind Publisher: NetBSD Operating System: NetBSD Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-8500 Reference: ESB-2014.2508 ESB-2014.2390 ESB-2014.2350 ESB-2014.2324 ESB-2014.2323 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2015-002 ================================= Topic: bind Denial of Service (CVE-2014-8500) Version: NetBSD-current: source prior to Dec 10, 2014 NetBSD 7 Beta: affected NetBSD 6.1: affected NetBSD 6.0: affected NetBSD 5.2: affected NetBSD 5.1: affected Severity: Denial of Service Fixed: NetBSD-current: Dec 11, 2014 NetBSD-7 branch: Jan 06, 2015 NetBSD-6 branch: Jan 06, 2015 NetBSD-6-1 branch: Jan 06, 2015 NetBSD-6-0 branch: Jan 06, 2015 NetBSD-5 branch: Dec 26, 2014 NetBSD-5-2 branch: Dec 26, 2014 NetBSD-5-1 branch: Dec 26, 2014 Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A lack of defense against arbitrarily long delegation chains can be exploited to crash bind. This primarily concerns resolvers that resolve third-party controlled domains; authoritative servers can only be affected if an attacker can control a delegation that the authoritative server needs to traverse to service the zone. This vulnerability has been assigned CVE-2014-8500. Technical Details ================= By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation. This can lead to resource exhaustion and denial of service (up to and including termination of the named server process.) The fix introduces a config setting to determine at which length named will stop following the delegation chain and return a failure instead. Solutions and Workarounds ========================= There is no practical workaround (the impractical is not to try to resolve malicious zones). Solutions: + Install and use a bind package from pkgsrc. + Update named from a daily build later than the fix date: fetch from http://nyftp.NetBSD.org/pub/NetBSD-daily/<branch>/<date>/<arch>/ the file binary/sets/base.tgz for all releases: cd / && tar xzpf <base.tgz-path> ./usr/sbin/named \ ./usr/lib/libbind9.so\* \ ./usr/lib/libisc.so\* \ ./usr/lib/libdns.so\* \ ./usr/lib/libisccfg.so\* \ ./usr/lib/liblwres.so\* \ ./usr/lib/libisccc.so\* If you use debug or profiling libraries or build static binaries with bind libs, also install the updated versions from the comp.tgz or debug.tgz. + Rebuild your system with the fixes applied. NetBSD-current, NetBSD-7, NetBSD-6: For better maintainability bind was updated to the latest ISC release of the bind branch. This means updating just the files containing the vulnerable code won't work. Updating src/external/bsd/bind also won't be enough since all the bind libraries got version bumps, and src/distrib/sets/lists/* will also need selective updates. For this reason, updating the entire src tree and recompiling is recommended. NetBSD-5: fixed versions are (relative to src/dist/bind): File netbsd-5 netbsd-5-2 netbsd-5-1 bin/named/config.c 1.1.1.8.4.5 1.1.1.8.4.4.2.1 1.1.1.8.4.1.2.4 bin/named/query.c 1.8.4.9 1.8.4.7.2.2 1.8.4.2.2.7 bin/named/server.c 1.1.1.9.4.5 1.1.1.9.4.4.2.1 1.1.1.9.4.1.2.4 lib/dns/adb.c 1.6.4.5 1.6.4.4.2.1 1.6.4.1.2.4 lib/dns/resolver.c 1.8.4.7 1.8.4.6.2.1 1.8.4.2.2.5 lib/dns/include/dns/adb.h 1.1.1.5.4.4 1.1.1.5.4.3.2.1 1.1.1.5.12.4 lib/dns/include/dns/resolver.h 1.1.1.5.4.5 1.1.1.5.4.4.2.1 1.1.1.5.4.1.2.4 lib/export/isc/Makefile.in 1.1.2.4 1.1.2.3.2.1 1.1.4.5 lib/isc/Makefile.in 1.1.1.6.4.5 1.1.1.6.4.4.2.1 1.1.1.6.4.1.2.4 lib/isc/include/isc/Makefile.in 1.1.1.5.4.5 1.1.1.5.4.4.2.1 1.1.1.5.4.1.2.4 lib/isc/include/isc/types.h 1.1.1.5.4.5 1.1.1.5.4.4.2.1 1.1.1.5.4.1.2.4 lib/isccfg/namedconf.c 1.1.1.7.4.5 1.1.1.7.4.4.2.1 1.1.1.7.4.1.2.4 lib/isc/counter.c 1.1.2.1 1.1.4.2 1.1.6.2 lib/isc/include/isc/counter.h 1.1.2.1 1.1.4.2 1.1.6.2 supporting files: src/lib/libisc/Makefile 1.2.4.3 1.2.4.2.2.1 1.2.4.1.2.2 src/usr.sbin/bind/Makefile.inc 1.32.4.2 1.32.4.1.2.1 1.32.12.2 To update from CVS, re-build and re-install the system: # cd src # cvs update -d -P -r VERSION FILE # cd lib/isc # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../dns # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../isccfg # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../bin/named # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Thanks to Florian Maury (ANSSI) for reporting this issue and the ISC security team for their advisory (https://kb.isc.org/article/AA-01216), which is cited by this advisory. Revision History ================ 2015-01-08 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-002.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2015-002.txt,v 1.1 2015/01/08 21:02:23 tonnerre Exp $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUrvCMAAoJEAZJc6xMSnBuWqEP/1knhCOQEuvxqC9SBl3wWc// ft5enLBImScO3ImloLJYeudB79vbtNInPKT940bLEJ5H3KPrb4XEn/tR9PwKYpqU bLphpvS0Xa9vC3McV2Cm+dum62g197DsDHVHYSUSQhPPIT/TV+vpVi4OZn0BNXin hIFPIRszHdrP6fLCNNjdU7CQ8r0/ZEexCWJ+5EAlpYFXj6n117S8lWl3ctpTXFhk 47ekUAyz5BqQxUxntPbt/klRJOqSqUxeKfeFgOCATdu3PGKhvvr9rT31A7bOwCaZ hPvCMFZ9TmZY5OvtsoBTseosWG1R9kJL8hByQP1NFT39Kyu3Tf/A+mf3gt/MXJGT uk7QTGkvqbffYOU69iSbdWwntbMUHub21CTkJfgKF57CSpvhj2QpwqhB6x+buqB7 MpLzXDxaXX/OJ5eP834Zp7hnjqiMh5C4VUveqQKGPZAx9HKwzw8w4r5CX/7csJzk MFn5j+78GceOGyroA9cy42mbZqlut6ys9RYKrqgqSq4PFSt4kpRB/YpzAeEJ0UCd 2ca1zD55m07cIM8WeMkOJxU3ebCJgbA4ZJXKXQYdoBG8SUftXZxlukxJTWe/NRBI oqri17ana3COpu+5ybxc0Y5eizrYrZPbCnOZw89bQdnphCOUdNrWG9Efm8t59iz7 BCyaTaPxTMCHbxfFMriC =gNcZ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVK86fBLndAQH1ShLAQLr1Q//bqf2/s4wXUYm+MCnlldrug0o8QYvtQN1 ou8SGhEPOCNeoNtPE6a/5/RV6BH5TnRF+nqRXA+WJbus/M7WahgbktVhhGtUFick IfVagOYtuRhOW7ZGFkLpiB4VLhRPdHnSYaOP2e4ezMNyOhvjVl2XpumuH+AUGjeS U7MqEejq9eHzu9Vc5RttRzz0Lyk7nGWxw59wYzkHQitpI31cEsYeW6mKUdf9rOKV ntaFkhGX6oHBeTXn3NMveW3aRUhZ0oSgw1qwO++irt5FmcpVAVDUU5/8G1S6nYeY WbnQ6yt8wyz5L9XPsb5mLDaPOoWWF1icInyrkhakIa0cr6qMorIViIJbOhePGyFq bcUvSdR3MRBP7qaDJN+TCKYyvkn8xdiYHgQoKCfepJZ9V9chERI8o3CBhl7vPLjr MWPyDXcTCsr/455qIja4KqZ5HTAiWMne7TWGXnJPGjuafrOkYIUxDeqOFRi8bzej PkFjfpiYAbB0KFHJu7/cMPoJqpAiCSL/aBKhTdm/Pq1lbs0la1A9K71A47vnt/Fu 8Q91RKeSBjeILQidI8gu7of3xoUcBZYhGS4a8WSiJqais6/m7vuyU9tkfcwf+0UI ruwYFLpeexOKR8NcFGMZp3Lr8mCLoS1OZK2pGHNquK8CmHtlkLBO2qftuK2DJNql UUuaqjfGQZk= =uVl7 -----END PGP SIGNATURE-----