[arch-security] [ASA-201603-7] bind: denial of service

Wed Mar 9 23:54:32 UTC 2016

Arch Linux Security Advisory ASA-201603-7
=========================================

Severity: High
Date    : 2016-03-09
CVE-ID  : CVE-2016-1285 CVE-2016-1286
Package : bind
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package bind before version 9.10.3.P4-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 9.10.3.P4-1.

# pacman -Syu "bind>=9.10.3.P4-1"

The problem has been fixed upstream in version 9.9.8-P4 and 9.10.3.P4.

Workaround
==========

- CVE-2016-1285:

Restrict access to the control channel (by using the "controls"
configuration statement in named.conf) to allow connection only from
trusted systems.

Note that if no "controls" statement is present, named defaults to
allowing control channel connections only from localhost (127.0.0.1 and
::1) if and only if the file rndc.key exists in the configuration
directory and contains valid key syntax.  If rndc.key is not present and
no "controls" statement is present in named.conf, named will not accept
commands on the control channel.

- CVE-2016-1286:

None.

Description
===========

- CVE-2016-1285:

Testing by ISC has uncovered a defect in control channel input handling
which can cause named to exit due to an assertion failure in sexpr.c or
alist.c when a malformed packet is sent to named's control channel (the
interface which allows named to be controlled using the 'rndc" server
control utility).

This assertion occurs before authentication but after
network-address-based access controls have been applied.  Or in other
words:  an attacker does not need to have a key or other authentication,
but does need to be within the address list specified in the "controls"
statement in named.conf which enables the control channel.  If no
"controls" statement is present in named.conf, named still defaults to
listening for control channel information on loopback addresses
(127.0.0.1 and ::1) if the file rndc.key is present in the configuration
directory and contains a valid key.

A search for similar problems revealed an associated defect in the rndc
server control utility whereby a malformed response from the server
could cause the rndc program to crash.  For completeness, it is being
fixed at the same time even though this defect in the rndc utility is
not in itself exploitable.

- CVE-2016-1286:

An error when parsing signature records for DNAME records having
specific properties can lead to named exiting due to an assertion
failure in resolver.c or db.c.

Impact
======

A remote attacker can crash a vulnerable bind server, authoritative or
recursive, by sending a crafted response to a query or, if allowed by
the network-address-based ACLs, by sending a crafted packet to the
control channel.

References
==========

https://kb.isc.org/article/AA-01352/
https://kb.isc.org/article/AA-01353/
https://access.redhat.com/security/cve/CVE-2016-1285
https://access.redhat.com/security/cve/CVE-2016-1286

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160310/04085f61/attachment-0001.asc>