Alerts This Week
Warning Icon 1 687
Alerts This Week
Warning Icon 1 687

Arch Linux: ASA-201603-7 High Severity: Bind Denial Of Service Threat

Calendar Mar 10, 2016 User Avatar LinuxSecurity Advisories
2 - 3 min read
Archlinux Large Esm H500
Topics%20covered

Topics Covered

security advisory denial of service security update high severity software patch bind Arch Linux
The package bind before version 9.10.3.P4-1 is vulnerable to denial of service. 
Arch Linux Security Advisory ASA-201603-7
========================================
Severity: High
Date    : 2016-03-09
CVE-ID  : CVE-2016-1285 CVE-2016-1286
Package : bind
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package bind before version 9.10.3.P4-1 is vulnerable to denial of
service.

Resolution
=========
Upgrade to 9.10.3.P4-1.

# pacman -Syu "bind>=9.10.3.P4-1"

The problem has been fixed upstream in version 9.9.8-P4 and 9.10.3.P4.

Workaround
=========
- CVE-2016-1285:

Restrict access to the control channel (by using the "controls"
configuration statement in named.conf) to allow connection only from
trusted systems.

Note that if no "controls" statement is present, named defaults to
allowing control channel connections only from localhost (127.0.0.1 and
::1) if and only if the file rndc.key exists in the configuration
directory and contains valid key syntax.  If rndc.key is not present and
no "controls" statement is present in named.conf, named will not accept
commands on the control channel.

- CVE-2016-1286:

None.

Description
==========
- CVE-2016-1285:

Testing by ISC has uncovered a defect in control channel input handling
which can cause named to exit due to an assertion failure in sexpr.c or
alist.c when a malformed packet is sent to named's control channel (the
interface which allows named to be controlled using the 'rndc" server
control utility).

This assertion occurs before authentication but after
network-address-based access controls have been applied.  Or in other
words:  an attacker does not need to have a key or other authentication,
but does need to be within the address list specified in the "controls"
statement in named.conf which enables the control channel.  If no
"controls" statement is present in named.conf, named still defaults to
listening for control channel information on loopback addresses
(127.0.0.1 and ::1) if the file rndc.key is present in the configuration
directory and contains a valid key.

A search for similar problems revealed an associated defect in the rndc
server control utility whereby a malformed response from the server
could cause the rndc program to crash.  For completeness, it is being
fixed at the same time even though this defect in the rndc utility is
not in itself exploitable.

- CVE-2016-1286:

An error when parsing signature records for DNAME records having
specific properties can lead to named exiting due to an assertion
failure in resolver.c or db.c.

Impact
=====
A remote attacker can crash a vulnerable bind server, authoritative or
recursive, by sending a crafted response to a query or, if allowed by
the network-address-based ACLs, by sending a crafted packet to the
control channel.

References
=========
https://kb.isc.org/docs/aa-01352
https://kb.isc.org/docs/aa-01353
https://access.redhat.com/security/cve/CVE-2016-1285
https://access.redhat.com/security/cve/CVE-2016-1286

Related News

Your message here