147 lines
5.2 KiB
Text
147 lines
5.2 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-15:23.bind Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: BIND remote denial of service vulnerability
|
|
|
|
Category: contrib
|
|
Module: bind
|
|
Announced: 2015-09-02
|
|
Credits: ISC
|
|
Affects: FreeBSD 9.x
|
|
Corrected: 2015-09-02 20:06:46 UTC (stable/9, 9.3-STABLE)
|
|
2015-09-02 20:07:03 UTC (releng/9.3, 9.3-RELEASE-p25)
|
|
CVE Name: CVE-2015-5722
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
|
|
The named(8) daemon is an Internet Domain Name Server. The libdns
|
|
library is a library of DNS protocol support functions.
|
|
|
|
II. Problem Description
|
|
|
|
Parsing a malformed DNSSEC key can cause a validating resolver to exit
|
|
due to a failed assertion in buffer.c.
|
|
|
|
III. Impact
|
|
|
|
A remote attacker can deliberately trigger the failed assertion which
|
|
will cause an affected server to terminate, by using a query that
|
|
requires a response from a zone containing a malformed key, resulting
|
|
in a denial of service condition.
|
|
|
|
Recursive servers are at greatest risk, however, an authoritative server
|
|
could also be affected, if an attacker controls a zone that the server
|
|
must query against to perform its zone service.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, but hosts not running named(8) are not
|
|
vulnerable.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
The named service has to be restarted after the update. A reboot is
|
|
recommended but not required.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
The named service has to be restarted after the update. A reboot is
|
|
recommended but not required.
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 9.3]
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:23/bind.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:23/bind.patch.asc
|
|
# gpg --verify bind.patch.asc
|
|
|
|
Please note that FreeBSD 9.3-STABLE is also affected by another issue
|
|
(CVE-2015-5986), and a different patch should be used.
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart the named(8) daemon, or reboot the system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/9/ r287409
|
|
releng/9.3/ r287410
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://kb.isc.org/article/AA-01287>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5722>
|
|
|
|
CVE-2015-5986 is listed here for completeness and affects FreeBSD
|
|
9.3-STABLE but not FreeBSD 9.3-RELEASE:
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5986>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:23.bind.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2.1.7 (FreeBSD)
|
|
|
|
iQIcBAEBCgAGBQJV52K9AAoJEO1n7NZdz2rnYQEP/1MY+pxPVMWT86qNKZ8upUpH
|
|
LadLmtYAERrT9SMBrEFNCgylRdwNabTPKU0ZtxW8I57rks+j4bci053qo9Z7Hyo0
|
|
tbK3hTtxJZHNBO1G+NFfQxx9U+R+86Korx3NvDiB78XkJaab5On3dSgIMJYPEIL+
|
|
h0NEfYqe+X+LYg3W46faPdIuOsgxWSYN1T6mcZ5B5lucbT+LXjA5sRj+rUcE+a4O
|
|
2lIdM1oesWOZrEZo9FjK3UPvBbiEZkspr5IBd0zA825+BZNOpk06SOS/f3N0Pz8u
|
|
S2vGlxcT37CzC9fPgjQpcNBmB+76xLgz74Inj4uPDSvCz+wmmcr95YOgheZb2N6K
|
|
Bqakzy9TyRNk1aa8VXb8XpfyfMzroWG/vNjV6trI5wry7U0zRSl4dz+XAoz0A/eO
|
|
9ue88iWsVh97HBWKH94K8ZCA49G3NLgkbDkJ3awS4TfIKwwh9bGDiDepu1KMqnC1
|
|
EzyRk2fnr9JIreLj5zR1ctL1xGUvBIzWvHeT72PjgdZ/hqDoXTHKSVnDoR0c6T+U
|
|
bJBJSLi3KUqaMkKRJez84r7G8RKtudLT292l4UQ3qgbiuaXagY6m1W0WBpLvw/zv
|
|
RQOsG3HPpDrrV/LiSWKybEX2hIqIHd3tssfjQqvMa4WLO3h8wVONjw74YgRzZaYb
|
|
t/1F4r4UYtfIJ7omydxx
|
|
=B0u1
|
|
-----END PGP SIGNATURE-----
|