-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2006-022 ================================= Topic: BIND recursive query and SIG query processing Version: NetBSD-current: source prior to September 05, 2006 NetBSD 4.0_BETA: affected NetBSD 3.1_RC3: not affected NetBSD 3.0.*: affected NetBSD 3.0: affected NetBSD 2.1: not affected NetBSD 2.0.*: not affected NetBSD 2.0: not affected pkgsrc: bind-9.3.2nb1 and earlier Severity: Denial of service Fixed: NetBSD-current: September 05, 2006 NetBSD-4 branch: September 06, 2006 (4.0 will include the fix) NetBSD-3-0 branch: September 06, 2006 (3.0.2 will include the fix) NetBSD-3 branch: September 06, 2006 (3.1 will include the fix) pkgsrc: bind-9.3.2nb2 corrects the issue Abstract ======== Two denial of service vulnerabilities have been reported in bind which can cause the name server daemon to crash. The vulnerabilities relate to the processing of SIG queries and recursive queries. The SIG query processing issue has been assigned CVE reference CVE-2006-4095. The recursive query issue has been assigned CVE reference CVE-2006-4096. Technical Details ================= Issue #1: SIG query processing It is possible for an attacker to crash a name server by sending certain SIG queries. SIG queries are a part of the RFC 2535 DNSSEC extensions. The exploitation of this issue is dependent on the configuration of the name server that receives the query: * Recursive servers Queries for SIG records will trigger an assertion failure if more than one RRset is returned. * Authoritative servers Queries for SIG records will trigger and assertion failure where there are multiple RRsets when the name server tries to construct the response. Issue #2: Recursive query handling It is possible for an attacker to crash a name server by sending enough recursive queries that the response to the query arrives after all the clients looking for the response have left the recursion queue. For further information see: * http://www.niscc.gov.uk/niscc/docs/re-20060905-00590.pdf?lang=en * http://www.kb.cert.org/vuls/id/915404 * http://www.kb.cert.org/vuls/id/697164 Solutions and Workarounds ========================= If your name server is not configured to process SIG queries then you are not vulnerable to the SIG denial of service attack. Both vulnerabilities can be mitigated by limiting who can perform specific queries against the name server. In particular, it is recommended practice, regardless of this vulnerability, to accept recursive queries only from local clients who would be expected to query this nameserver directly, not from unknown Internet sources. The 'allow-recursion' directive in the options section of named.conf should be configured with an appropriate address list, as in the following simple example: options { directory "/etc/namedb"; allow-recursion { 1.2.3.4/24; 127.0.0.1/32; ::1; }; }; It is recommended that NetBSD users of vulnerable versions update their binaries. The following instructions describe how to upgrade your bind binaries by updating your source tree and rebuilding and installing a new version of bind. * NetBSD-current: Systems running NetBSD-current dated from before 2006-09-05 should be upgraded to NetBSD-current dated 2006-09-06 or later. The following files need to be updated from CVS HEAD: dist/bind/bin/named/query.c dist/bind/lib/dns/resolver.c To update from CVS, re-build, and re-install bind: # cd src # cvs update dist/bind/bin/named/query.c # cvs update dist/bind/lib/dns/resolver.c # cd usr.sbin/bind # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 3.*: Systems running NetBSD 3.* sources dated from before 2006-09-06 should be upgraded from NetBSD 3.* sources dated 2006-09-07 or later. The following files need to be updated from the netbsd-3 or netbsd-3-0 CVS branch: dist/bind/bin/named/query.c dist/bind/lib/dns/resolver.c To update from CVS, re-build, and re-install bind: # cd src # cvs update -r dist/bind/bin/named/query.c # cvs update -r dist/bind/lib/dns/resolver.c # cd usr.sbin/bind # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= CERT for notification and co-ordination of the issue. The Internet Software Consortium is credited with the discovery and correction of both issues. Revision History ================ 2006-09-21 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-022.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2006, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2006-022.txt,v 1.3 2006/09/21 13:33:13 adrianp Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (NetBSD) iQCVAwUBRRL0BD5Ru2/4N2IFAQIGFwP+PMHCaLRoiipoFsiyBoNTjhRvePkwPOit d1W6hW45QW8w1RBwMdACupZDz/c/U1KwyyO2A20IzZm5INSmA08fBj6VFoubgwHa cb9O0zwTChoehozqUga8Mad1sLjts5avp9TyVguXdhiCvK8QTIOVyM5K74IwChxg QpevrgNufMw= =oArz -----END PGP SIGNATURE-----