Arch Linux Security Advisory ASA-201603-7 ========================================= Severity: High Date : 2016-03-09 CVE-ID : CVE-2016-1285 CVE-2016-1286 Package : bind Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package bind before version 9.10.3.P4-1 is vulnerable to denial of service. Resolution ========== Upgrade to 9.10.3.P4-1. # pacman -Syu "bind>=9.10.3.P4-1" The problem has been fixed upstream in version 9.9.8-P4 and 9.10.3.P4. Workaround ========== - CVE-2016-1285: Restrict access to the control channel (by using the "controls" configuration statement in named.conf) to allow connection only from trusted systems. Note that if no "controls" statement is present, named defaults to allowing control channel connections only from localhost (127.0.0.1 and ::1) if and only if the file rndc.key exists in the configuration directory and contains valid key syntax. If rndc.key is not present and no "controls" statement is present in named.conf, named will not accept commands on the control channel. - CVE-2016-1286: None. Description =========== - CVE-2016-1285: Testing by ISC has uncovered a defect in control channel input handling which can cause named to exit due to an assertion failure in sexpr.c or alist.c when a malformed packet is sent to named's control channel (the interface which allows named to be controlled using the 'rndc" server control utility). This assertion occurs before authentication but after network-address-based access controls have been applied. Or in other words: an attacker does not need to have a key or other authentication, but does need to be within the address list specified in the "controls" statement in named.conf which enables the control channel. If no "controls" statement is present in named.conf, named still defaults to listening for control channel information on loopback addresses (127.0.0.1 and ::1) if the file rndc.key is present in the configuration directory and contains a valid key. A search for similar problems revealed an associated defect in the rndc server control utility whereby a malformed response from the server could cause the rndc program to crash. For completeness, it is being fixed at the same time even though this defect in the rndc utility is not in itself exploitable. - CVE-2016-1286: An error when parsing signature records for DNAME records having specific properties can lead to named exiting due to an assertion failure in resolver.c or db.c. Impact ====== A remote attacker can crash a vulnerable bind server, authoritative or recursive, by sending a crafted response to a query or, if allowed by the network-address-based ACLs, by sending a crafted packet to the control channel. References ========== https://kb.isc.org/article/AA-01352/ https://kb.isc.org/article/AA-01353/ https://access.redhat.com/security/cve/CVE-2016-1285 https://access.redhat.com/security/cve/CVE-2016-1286