140 lines
5.3 KiB
Text
140 lines
5.3 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-15:05.bind Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: BIND remote denial of service vulnerability
|
|
|
|
Category: contrib
|
|
Module: bind
|
|
Announced: 2015-02-25
|
|
Credits: ISC
|
|
Affects: FreeBSD 8.x and FreeBSD 9.x.
|
|
Corrected: 2015-02-18 22:20:19 UTC (stable/9, 9.3-STABLE)
|
|
2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10)
|
|
2015-02-18 22:29:52 UTC (stable/8, 8.4-STABLE)
|
|
2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24)
|
|
CVE Name: CVE-2015-1349
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
|
|
The named(8) daemon is an Internet Domain Name Server.
|
|
|
|
II. Problem Description
|
|
|
|
BIND servers which are configured to perform DNSSEC validation and which
|
|
are using managed keys (which occurs implicitly when using
|
|
"dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit
|
|
unpredictable behavior due to the use of an improperly initialized
|
|
variable.
|
|
|
|
III. Impact
|
|
|
|
A remote attacker can trigger a crash of a name server that is configured
|
|
to use managed keys under specific and limited circumstances. However,
|
|
the complexity of the attack is very high unless the attacker has a
|
|
specific network relationship to the BIND server which is targeted.
|
|
|
|
IV. Workaround
|
|
|
|
Only systems that runs BIND, including recursive resolvers and authoritative
|
|
servers that performs DNSSEC validation and using managed-keys are affected.
|
|
|
|
This issue can be worked around by not using "auto" for the dnssec-validation
|
|
or dnssec-lookaside options and do not configure a managed-keys statement.
|
|
Note that in order to do DNSSEC validation with this workaround one would
|
|
have to configure an explicit trusted-keys statement with the appropriate
|
|
keys.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:05/bind.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:05/bind.patch.asc
|
|
# gpg --verify bind.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart the applicable daemons, or reboot the system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/8/ r278973
|
|
releng/8.4/ r279265
|
|
stable/9/ r278972
|
|
releng/9.3/ r279265
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://kb.isc.org/article/AA-01235>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1349>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:05.bind.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2.1.1 (FreeBSD)
|
|
|
|
iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnKkgP/3vUBO8o5ofQFMUYSS1siPxZ
|
|
63OeeRlMabEgiWZaQ+V2O7/CPrHDIgJHQABx9kNoiutWD9TC3c5f7Yh4nfaXmbKe
|
|
Ncu3EjF1Zw/uGbu3cXjboX0CYnBDYrPNJnzIvSG0UlTY5hEIi3FgN4v2Q3gzuU/2
|
|
3aUlFHyZb4GVzK+lA+wD0unOc6+il6LHPpSzwRbLpNxCB2J582HoCuw9i5NfMiOB
|
|
KP8axZeNZLMpE90s3H/VD+7UIoe6eOC0kykH/DpuUIUxxlExK9c8f9QurpoCnOrV
|
|
qwPAeWEYjmjZmMFivVZf5ugir6diaenfPjpXvUGNz2pCp5wlRkku71sMDsgnErX2
|
|
Fnuc6nCXqTb/XX6zQmz/236EEVr2UBuX0cXWT0Dvu8GznMij/s4J+9+/Pkjp/mr7
|
|
PfXj4H9UMv2Q3zOW7+Vb2Ru0zwfL9Dt90SyNbvt6DOA9KSNnUZIkN/pbKuS9fnHX
|
|
Pw7eiNPs4Rq0Ui1DJDWVsJnZV2aVSw+qHxeMVtjCWbx3O7IVGgj5W7i95iAPHRJ4
|
|
PVd1oaI2WsteoLNGpfXUD5sQr9yFRU/mRKtgSjxtKRV/nIkdwfTNcHHXIl0XuIWw
|
|
C7VmAjlZgqj7aacTZWiVXqiFkN6gDjjFv1lVYmuDQOiK52JCbcBavYnxzZxVzuSa
|
|
yIpDuhJS5vIt/B5oepoZ
|
|
=uquT
|
|
-----END PGP SIGNATURE-----
|