149 lines
5.4 KiB
Text
149 lines
5.4 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-16:13.bind Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Multiple BIND vulnerabilities
|
|
|
|
Category: contrib
|
|
Module: bind
|
|
Announced: 2016-03-10
|
|
Credits: ISC
|
|
Affects: FreeBSD 9.x
|
|
Corrected: 2016-03-10 07:47:55 UTC (stable/9, 9.3-STABLE)
|
|
2016-03-10 10:03:28 UTC (releng/9.3, 9.3-RELEASE-p38)
|
|
CVE Name: CVE-2016-1285, CVE-2016-1286
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
|
|
The named(8) daemon is an Internet Domain Name Server.
|
|
|
|
II. Problem Description
|
|
|
|
Testing by ISC has uncovered a defect in control channel input handling
|
|
which can cause named to exit due to an assertion failure in sexpr.c
|
|
or alist.c when a malformed packet is sent to named's control channel
|
|
(the interface which allows named to be controlled using the "rndc"
|
|
server control utility). [CVE-2016-1285]
|
|
|
|
An error when parsing signature records for DNAME records having specific
|
|
properties can lead to named exiting due to an assertion failure in
|
|
resolver.c or db.c. [CVE-2016-1286]
|
|
|
|
III. Impact
|
|
|
|
A remote attacker can deliberately trigger the failed assertion if the
|
|
DNS server accepts remote rndc commands regardless if authentication
|
|
is configured. Note that this is not enabled by default. [CVE-2016-1285]
|
|
|
|
A remote attacker who can cause a server to make a query deliberately
|
|
chosen to generate a response containing a signature record which
|
|
would trigger a failed assertion and cause named to stop. Disabling
|
|
DNSsec does not provide protection against this vulnerability.
|
|
[CVE-2016-1286]
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, but hosts not running named(8) are not
|
|
vulnerable.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
The named service has to be restarted after the update. A reboot is
|
|
recommended but not required.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
The named service has to be restarted after the update. A reboot is
|
|
recommended but not required.
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:13/bind.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:13/bind.patch.asc
|
|
# gpg --verify bind.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart the named(8) daemon, or reboot the system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/9/ r296608
|
|
releng/9.3/ r296611
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://kb.isc.org/article/AA-01352>
|
|
|
|
<URL:https://kb.isc.org/article/AA-01353>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:13.bind.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2.1.11 (FreeBSD)
|
|
|
|
iQIcBAEBCgAGBQJW4UdUAAoJEO1n7NZdz2rnmRwQAIXDSu/gX5A+CFv6+9/2ak+H
|
|
3JOMO8p7KSKWhc1Hh7uqTUEy04lmpUylzK6Kj3h5PDNVaObxCcqsCAdy9xLYv8Q6
|
|
scBLeaDRPnwVQ1Mb/pkx1pdKSG7oKjY00PY0/hTKOVJUC1tJIoiAX8ExFqt53UKc
|
|
LHjzrFrHh/0lBebYj8jmqW8Pxhi8nluuwWhtrwFgiG/XR15k69TRjPHnLOfXVwqs
|
|
ORJb/8pVHYsNkGP3JB1xWMVs1nKLjzc7+Gm43OmLCa6QeLgQWqYmguoUl0FEHpoI
|
|
nPqlukYT3V9BfMR+fwoNXXUjgjiK66onvS/O3yhyCPCrRgnw0ZVVSF2jbPUhT638
|
|
p1QwN9snoTzxY0CpCjcjpZvf9Zhfyzc8UFnl2hm0rmAuCiOPBTeJ16AG3a8S40vF
|
|
/xoq4P6gNxUTQrPpGmG3Z/tfUQsxIpzib9D6ncDD5feuRyLB9y/MQSK1wxZjXDjk
|
|
2Bmaqk5foXNJfNEViNfJ4yy2qqED114ZpPIcDbSyIX9HeiKBo9BTEZ7Q9nEUHurN
|
|
GcnvimUuhk+hYJDEsELDSGDSLT6aMaD/hXVTMQeQwxQKh7QDFfzJsUlA44tqB56V
|
|
sn6VfIiA++K/JAFrAExD2FhtaIlOsUx24dUYkhcfNuVVBm3lgGCECeKGFxdNu2SM
|
|
kRc1+1ihyNRolL47E3s/
|
|
=OncW
|
|
-----END PGP SIGNATURE-----
|