ArchLinux: 201603-7: bind: denial of service
Summary
- CVE-2016-1285:
Testing by ISC has uncovered a defect in control channel input handling
which can cause named to exit due to an assertion failure in sexpr.c or
alist.c when a malformed packet is sent to named's control channel (the
interface which allows named to be controlled using the 'rndc" server
control utility).
This assertion occurs before authentication but after
network-address-based access controls have been applied. Or in other
words: an attacker does not need to have a key or other authentication,
but does need to be within the address list specified in the "controls"
statement in named.conf which enables the control channel. If no
"controls" statement is present in named.conf, named still defaults to
listening for control channel information on loopback addresses
(127.0.0.1 and ::1) if the file rndc.key is present in the configuration
directory and contains a valid key.
A search for similar problems revealed an associated defect in the rndc
server control utility whereby a malformed response from the server
could cause the rndc program to crash. For completeness, it is being
fixed at the same time even though this defect in the rndc utility is
not in itself exploitable.
- CVE-2016-1286:
An error when parsing signature records for DNAME records having
specific properties can lead to named exiting due to an assertion
failure in resolver.c or db.c.
Resolution
Upgrade to 9.10.3.P4-1.
# pacman -Syu "bind>=9.10.3.P4-1"
The problem has been fixed upstream in version 9.9.8-P4 and 9.10.3.P4.
References
https://kb.isc.org/docs/aa-01352 https://kb.isc.org/docs/aa-01353 https://access.redhat.com/security/cve/CVE-2016-1285 https://access.redhat.com/security/cve/CVE-2016-1286
Workaround
- CVE-2016-1285:
Restrict access to the control channel (by using the "controls"
configuration statement in named.conf) to allow connection only from
trusted systems.
Note that if no "controls" statement is present, named defaults to
allowing control channel connections only from localhost (127.0.0.1 and
::1) if and only if the file rndc.key exists in the configuration
directory and contains valid key syntax. If rndc.key is not present and
no "controls" statement is present in named.conf, named will not accept
commands on the control channel.
- CVE-2016-1286:
None.