CVE-2013-6320: A Winsock API Bug Can Cause a Side-Effect With BIND ACLs
mcnally at isc.org
Wed Nov 6 20:03:46 UTC 2013
A Winsock library call on some Windows systems can return an incorrect
value for an interface's netmask, potentially causing unexpected
matches to BIND's built-in "localnets" Access Control List.
Document Version: 1.1
Posting date: 06 November 2013
Program Impacted: BIND
Versions affected: Windows versions 9.6-ESV->9.6-ESV-R10,
ONLY Windows servers are affected.
Severity: High, for Windows systems with a specific
netmask value set.
On some Microsoft Windows systems, a network interface that has
an "all ones" IPv4 subnet mask (255.255.255.255) will be incorrectly
reported (by the Winsock WSAIoctl API) as an all zeros value
(0.0.0.0) Because interfaces' netmasks are used to compute the
broadcast domain for each interface during construction of the
built-in "localnets" ACL, an all zeroes netmask can cause matches
on any IPv4 address, permitting unexpected access to any BIND
feature configured to allow access to "localnets". And unless
overridden by a specific value in named.conf, the default
permissions for several BIND features (for example, allow-query-cache,
allow-query-cache-on, allow-recursion, and others) use this
predefined "localnets" ACL.
In addition, non-default access controls and other directives
using an address match list with the predefined "localnets" ACL
may not match as expected. This may include rndc "controls",
"allow-notify", "allow-query", "allow-transfer", "allow-update",
"blackhole", "filter-aaaa", "deny-answer-addresses", "exempt-clients",
and other directives if an administrator has specified the
"localnets" ACL in their match lists.
A support ticket has been filed with Microsoft for this winsock
bug but Windows server administrators should use the workaround
or upgrade to patched versions of BIND which override the incorrect
value supplied by the flawed winsock call.
Only systems running versions of Microsoft Windows which have
the flawed winsock call are vulnerable to this defect. Unix
servers are not affected.
Under this defect, access controls and other directives which
use "localnets" as part of the address match list may match much
more broadly than was intended by the server administrator.
Please note that in addition to configuration statements where
the "localnets" acl is used explicitly, "localnets" may also be
used in the default behavior for some features (such as
"allow-recursion") unless specifically overridden in the
configuration file. Allowing recursion to all reachable IPv4
addresses entails a number of risks, including increased exposure
to cache poisoning and the possibility of being used in a
It is possible that in a small number of environments that
correcting this defect may result in denial of service to desired
clients that were previously permitted (erroneously) because of
over-broad interpretation of "localnets". When upgrading to a
patched version, administrators are advised to double-check their
configuration file to confirm that all features which are
controlled by access control lists are permitted appropriately.
CVSS Score: 6.8
CVSS Equation: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
On Windows, make sure you are not using a 255.255.255.255 netmask;
or, if you have to use the 255.255.255.255 netmask, make sure
you are not allowing default ACLs that contain "localnets".
For other scenarios on Windows, we recommend that administrators
do not use the "localnets" ACL without using the patched version.
No known active exploits but a public discussion of the issue
has taken place on a public mailing list and in a blog article.
Upgrade to the patched release most closely related to your
current version of BIND. Open source versions can all be downloaded
from http://www.isc.org/downloads. Subscription version customers
will be contacted directly by ISC Support regarding delivery.
- BIND 9 version 9.6-ESV-R10-P1
- BIND 9 version 9.8.6-P1
- BIND 9 version 9.9.4-P1
Older versions of BIND that are beyond their "end of life" (EOL)
no longer receive testing or security fixes from ISC. For current
information on which versions are actively supported, please see
ISC would like to thank the Parallels Plesk Service Team for
reporting the open DNS recursion issue.
Document Revision History:
1.0 Advance Notification, 30 October 2013
1.1 Phase 2&3 Notification, 05 November 2013
2.0 Public Disclosure, 06 November 2013
See our BIND Security Matrix for a complete listing of Security Vulnerabilities and versions affected. https://kb.isc.org/article/AA-00913
This Knowledge Base article https://kb.isc.org/article/AA-01063 provides additional information and Frequently Asked Questions about this advisory.
If you'd like more information on our ISC Member program please
visit https://www.isc.org/members/, or product support please visit
Do you still have questions? Questions regarding this advisory
should go to security-officer at isc.org. To report a new issue,
please encrypt your message using security-officer at isc.org's PGP
key which can be found here:
If you are unable to use encrypted email, you may also report new
ISC Security Vulnerability Disclosure Policy:
Details of our current security advisory policy and practice can
be found here: https://kb.isc.org/article/AA-00861
This Knowledge Base article https://kb.isc.org/article/AA-01062 is
the complete and official security advisory document.
Internet Systems Consortium (ISC) is providing this notice on
an "AS IS" basis. No warranty or guarantee of any kind is expressed
in this notice and none should be implied. ISC expressly excludes
and disclaims any warranties regarding this notice or materials
referred to in this notice, including, without limitation, any
implied warranty of merchantability, fitness for a particular
purpose, absence of hidden defects, or of non-infringement. Your
use or reliance on this notice or materials referred to in this
notice is at your own risk. ISC may change this notice at any
time. A stand-alone copy or paraphrase of the text of this
document that omits the document URL is an uncontrolled copy.
Uncontrolled copies may lack important information, be out of
date, or contain factual errors.
(c) 2001-2013 Internet Systems Consortium
More information about the bind-announce