-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4410
                          Security Update : BIND
                             21 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BIND
Publisher:         ISC
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-6477  

Original Bulletin: 
   https://lists.isc.org/pipermail/bind-announce/2019-November/001142.html

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE:                 CVE-2019-6477
Document version:    1.1
Posting date:        20 November 2019
Program impacted:    BIND

Versions affected:   BIND 9.11.6-P1 -> 9.11.12, 9.12.4-P1 -> 9.12.4-P2,
                     9.14.1 -> 9.14.7, and versions 9.11.5-S6 ->
                     9.11.12-S1 of BIND 9 Supported Preview Edition.
                     Versions 9.15.0 -> 9.15.5 of the BIND 9.15
                     development branch are also affected. Versions
                     prior to BIND 9.11.0 have not been evaluated for
                     vulnerability to CVE-2019-6477.

Severity:            Medium
Exploitable:         Remotely

Description:

    By design, BIND is intended to limit the number of TCP clients that
    can be connected at any given time.  The update to this
    functionality introduced by CVE-2018-5743 changed how BIND
    calculates the number of concurrent TCP clients from counting the
    outstanding TCP queries to counting the TCP client connections.   On
    a server with TCP-pipelining capability, it is possible for one TCP
    client to send a large number of DNS requests over a single
    connection.  Each outstanding query will be handled internally as an
    independent client request, thus bypassing the new TCP clients
    limit.

Impact:

    With pipelining enabled each incoming query on a TCP connection
    requires a similar resource allocation to a query received via UDP
    or via TCP without pipelining enabled.  A client using a
    TCP-pipelined connection to a server could consume more resources
    than the server has been provisioned to handle.  When a TCP
    connection with a large number of pipelined queries is closed, the
    load on the server releasing these multiple resources can cause it
    to become unresponsive, even for queries that can be answered
    authoritatively or from cache.  (This is most likely to be perceived
    as an intermittent server problem).

CVSS Score:  6.5
CVSS Vector: CVSS:3.1AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:
N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C&version=3.1

Workarounds:

The vulnerability can be avoided by disabling server TCP-pipelining:

    keep-response-order { any; };

and then restarting BIND.  The server restart is necessary because
neither a 'reload' nor a 'reconfig' operation will properly reset
currently pipelining TCP clients.

Active exploits:

We are not aware of any active exploits but we have received reports of
servers accidentally affected by high-query-volume clients using
TCP-pipelining.

Solution:

Upgrade to the patched release most closely related to your current
version of BIND:

 *  BIND 9.11.13
 *  BIND 9.14.8
 *  BIND 9.15.6

BIND Supported Preview Edition is a special feature preview branch of
BIND provided to eligible ISC support customers.

* BIND 9.11.13-S1

Note that the fix for CVE-2019-6477 addresses only the server memory
leak issue.  TCP-pipelining may still malfunction by dropping some
responses on a TCP connection where a client query pattern generates
excessive outstanding queries, but the malfunction will affect that
TCP connection alone and will not cause any degradation of service to
other clients.  An affected client connection might also appear to hang,
but will clear when either the client or the server initiates a close
or reset and will not remain in that state indefinitely.

Disabling TCP-pipelining entirely is completely effective at mitigating
the vulnerability with minimal impact to clients that use pipelined TCP
connections and with no impact to clients that do not support TCP-
pipelining.

The majority of Internet client DNS queries are transported over UDP or
TCP without use of TCP-pipelining.

Document revision history:

1.0 Early Notification, 13 November 2019
1.1 Updated Solution, 19 November 2019

Related documents:

See our BIND 9 Security Vulnerability Matrix
( https://kb.isc.org/docs/aa-00913 ) for a complete listing of security
vulnerabilities and versions affected.

Do you still have questions? Questions regarding this advisory should go
to security-officer@isc.org. To report a new issue, please encrypt your
message using security-officer@isc.org's PGP key which can be found here:

    https://www.isc.org/pgpkey/

If you are unable to use encrypted email, you may also report new issues
at: https://www.isc.org/reportbug/ .

Note:

    ISC patches only currently supported versions. When possible we
    indicate EOL versions affected.  (For current information on which
    versions are actively supported, please see
    https://www.isc.org/download/ .)

ISC Security Vulnerability Disclosure Policy:

    Details of our current security advisory policy and practice can be
    found in the ISC Software Defect and Security Vulnerability
    Disclosure Policy at https://kb.isc.org/docs/aa-00861 .

Legal Disclaimer:

    Internet Systems Consortium (ISC) is providing this notice on an "AS
    IS" basis. No warranty or guarantee of any kind is expressed in this
    notice and none should be implied. ISC expressly excludes and
    disclaims any warranties regarding this notice or materials referred
    to in this notice, including, without limitation, any implied
    warranty of merchantability, fitness for a particular purpose,
    absence of hidden defects, or of non-infringement. Your use or
    reliance on this notice or materials referred to in this notice is
    at your own risk. ISC may change this notice at any time. A
    stand-alone copy or paraphrase of the text of this document that
    omits the document URL is an uncontrolled copy. Uncontrolled copies
    may lack important information, be out of date, or contain factual
    errors.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXdYofGaOgq3Tt24GAQgffhAAtK5wj5J+neECdlX8mTYxUZ5kvw2gG3DH
7KLBClwQQSgCu2iP0/MUVr0j8t3ypYnb/oclWaJy6aLo8XJ0oH1rV5r81A3WqfJT
Iss0SHhdNqY8P3eIdHp5Gv7Hj923E5i3PxHPgdqGxfUWEC0tPcnhN5DyCpxWyM61
HrC4Eqkqu8JPPsG5b9m8ZNvZDtBeO2Y1cNJK8pZ1WYHADhVgp7QtHMhq5EidD3Z2
/mrOTtFup2Z5IviQxTRwqI1sYpyEd5mzi5Z32m56KiNRKzQtp/Wt3UWPdISenIMI
0vnwJbwjn5A0j91H1CYbhLgHNXkHOMVW8/wol4tHjkNjBOr49nyA6h4SOIc5WhSG
t9oNQu1XWTcSbEGZYwVPhRwn4fBH5YENbNn8A+MFABDGq6SZWOqsmJ790//Cem/g
LG+BnDrDqS1jf0vnvVMjMwd+BpJJRflnjmrDsDBetHNnYFsJvxVJzRJokwPt8U8u
W5hfr6Z96q1EsrnDUcE4GcffYMPZKC4Nbmi/HikbzBuY54Imd7mnU7e52oW27Ktx
I5M6u2NEWXePFW4lof9VFiiNT4R2j39E3eN96N9BigZC7v9de8MRhMHhj+bXhCCq
JcEQWfIhCwrCiY11ptL5fpDpKOQ2MbF1nYwLCBmYcmbd8Gzb8B5sY5+iQTAQBtNz
1c8YvlIE3XQ=
=C9pa
-----END PGP SIGNATURE-----