CVE-2013-6320: A Winsock API Bug Can Cause a Side-Effect With BIND ACLs

[Michael McNally]

A Winsock library call on some Windows systems can return an incorrect
value for an interface's netmask, potentially causing unexpected
matches to BIND's built-in "localnets" Access Control List.

CVE:                   CVE-2013-6230
Document Version:      1.1
Posting date:          06 November 2013
Program Impacted:      BIND
Versions affected:     Windows versions 9.6-ESV->9.6-ESV-R10,
                       9.8.0->9.8.6, 9.9.0->9.9.4;
                       ONLY Windows servers are affected.
Severity:              High, for Windows systems with a specific
                       netmask value set.
Exploitable:           Remotely

Description:

   On some Microsoft Windows systems, a network interface that has
   an "all ones" IPv4 subnet mask (255.255.255.255) will be incorrectly
   reported (by the Winsock WSAIoctl API) as an all zeros value
   (0.0.0.0) Because interfaces' netmasks are used to compute the
   broadcast domain for each interface during construction of the
   built-in "localnets" ACL, an all zeroes netmask can cause matches
   on any IPv4 address, permitting unexpected access to any BIND
   feature configured to allow access to "localnets".  And unless
   overridden by a specific value in named.conf, the default
   permissions for several BIND features (for example, allow-query-cache,
   allow-query-cache-on, allow-recursion, and others) use this
   predefined "localnets" ACL.

   In addition, non-default access controls and other directives
   using an address match list with the predefined "localnets" ACL
   may not match as expected. This may include rndc "controls",
   "allow-notify", "allow-query", "allow-transfer", "allow-update",
   "blackhole", "filter-aaaa", "deny-answer-addresses", "exempt-clients",
   and other directives if an administrator has specified the
   "localnets" ACL in their match lists.

   A support ticket has been filed with Microsoft for this winsock
   bug but Windows server administrators should use the workaround
   or upgrade to patched versions of BIND which override the incorrect
   value supplied by the flawed winsock call.

   Only systems running versions of Microsoft Windows which have
   the flawed winsock call are vulnerable to this defect.  Unix
   servers are not affected.

Impact:

   Under this defect, access controls and other directives which
   use "localnets" as part of the address match list may match much
   more broadly than was intended by the server administrator.
   Please note that in addition to configuration statements where
   the "localnets" acl is used explicitly, "localnets" may also be
   used in the default behavior for some features (such as
   "allow-recursion") unless specifically overridden in the
   configuration file.  Allowing recursion to all reachable IPv4
   addresses entails a number of risks, including increased exposure
   to cache poisoning and the possibility of being used in a
   reflection attack.

   It is possible that in a small number of environments that
   correcting this defect may result in denial of service to desired
   clients that were previously permitted (erroneously) because of
   over-broad interpretation of "localnets".  When upgrading to a
   patched version, administrators are advised to double-check their
   configuration file to confirm that all features which are
   controlled by access control lists are permitted appropriately.

CVSS Score:  6.8

CVSS Equation:  (AV:N/AC:M/Au:N/C:P/I:P/A:P)

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P).

Workarounds:

   On Windows, make sure you are not using a 255.255.255.255 netmask;
   or, if you have to use the 255.255.255.255 netmask, make sure
   you are not allowing default ACLs that contain "localnets".

   For other scenarios on Windows, we recommend that administrators
   do not use the "localnets" ACL without using the patched version.

Active exploits: 

   No known active exploits but a public discussion of the issue
   has taken place on a public mailing list and in a blog article.

Solution: 

   Upgrade to the patched release most closely related to your
   current version of BIND. Open source versions can all be downloaded
   from http://www.isc.org/downloads. Subscription version customers
   will be contacted directly by ISC Support regarding delivery.

   -  BIND 9 version 9.6-ESV-R10-P1
   -  BIND 9 version 9.8.6-P1
   -  BIND 9 version 9.9.4-P1

Please Note:

   Older versions of BIND that are beyond their "end of life" (EOL)
   no longer receive testing or security fixes from ISC. For current
   information on which versions are actively supported, please see
   http://www.isc.org/downloads/software-support-policy/bind-software-status/.

Acknowledgements:

   ISC would like to thank the Parallels Plesk Service Team for
   reporting the open DNS recursion issue.

Document Revision History:

   1.0 Advance Notification, 30 October 2013
   1.1 Phase 2&3 Notification, 05 November 2013
   2.0 Public Disclosure, 06 November 2013

See our BIND Security Matrix for a complete listing of Security Vulnerabilities and versions affected.  https://kb.isc.org/article/AA-00913

This Knowledge Base article https://kb.isc.org/article/AA-01063 provides additional information and Frequently Asked Questions about this advisory.

If you'd like more information on our ISC Member program please
visit https://www.isc.org/members/, or product support please visit
http://www.dns-co.com/solutions/.

Do you still have questions?  Questions regarding this advisory
should go to security-officer at isc.org.  To report a new issue,
please encrypt your message using security-officer at isc.org's PGP
key which can be found here:

   https://www.isc.org/downloads/software-support-policy/openpgp-key/

If you are unable to use encrypted email, you may also report new
issues at:

   https://www.isc.org/mission/contact/.

ISC Security Vulnerability Disclosure Policy:

   Details of our current security advisory policy and practice can
   be found here: https://kb.isc.org/article/AA-00861

This Knowledge Base article https://kb.isc.org/article/AA-01062 is
the complete and official security advisory document.

Legal Disclaimer: 

   Internet Systems Consortium (ISC) is providing this notice on
   an "AS IS" basis. No warranty or guarantee of any kind is expressed
   in this notice and none should be implied. ISC expressly excludes
   and disclaims any warranties regarding this notice or materials
   referred to in this notice, including, without limitation, any
   implied warranty of merchantability, fitness for a particular
   purpose, absence of hidden defects, or of non-infringement. Your
   use or reliance on this notice or materials referred to in this
   notice is at your own risk. ISC may change this notice at any
   time.  A stand-alone copy or paraphrase of the text of this
   document that omits the document URL is an uncontrolled copy.
   Uncontrolled copies may lack important information, be out of
   date, or contain factual errors.

(c) 2001-2013 Internet Systems Consortium