CVE-2015-1349: A Problem with Trust Anchor Management Can Cause named to Crash

Brian Conry bconry at isc.org
Wed Feb 18 21:04:21 UTC 2015 

A Problem with Trust Anchor Management Can Cause named to Crash

When configured to perform DNSSEC validation, named can crash when
encountering a rare set of conditions in the managed trust anchors.

CVE:               CVE-2015-1349
Document Version:  2.0
Posting date:      18 Feb 2015
Program Impacted:  BIND
Versions affected: 

   BIND 9.7.0 -> BIND 9.10.1-P1.  Also, b1 and rc1 development versions
   of the upcoming BIND maintenance releases (9.9.7b1 & rc1, 9.10.2b1 &
   rc1) are affected.

   BIND versions 9.9.6, 9.9.6-P1, 9.10.1, and 9.10.1-P1 will terminate
   consistently with an assertion in zone.c, but previous affected
   versions may exhibit unpredictable behavior, including server
   crashes, due to the use of an improperly initialized variable.

Severity:    High, but requires specific conditions.
Exploitable: Remotely, under limited circumstances.

Description:

   BIND servers which are configured to perform DNSSEC validation and
   which are using managed-keys (which occurs implicitly when using
   "dnssec-validation auto;" or "dnssec-lookaside auto;") may terminate
   with an assertion failure when encountering all of the following
   conditions in a managed trust anchor:

    * a key which was previously trusted is now flagged as revoked;
    * there are no other trusted keys available;
    * there is a standby key, but it is not trusted yet

   This situation results in termination of the named process and denial
   of service to clients, and can occur in two circumstances:

    * during an improperly-managed key rollover for one of the managed
      trust anchors (e.g. during a botched root key rollover), or
    * when deliberately triggered by an attacker, under specific and
      limited circumstances. ISC has demonstrated a proof-of-concept of
      this attack; however, the complexity of the attack is very high
      unless the attacker has a specific network relationship to the
      BIND server which is targeted

Impact:

   Only servers which are performing DNSSEC validation and which are
   using managed-keys can be affected by this vulnerability.

   Recursive validating resolvers are at the greatest risk, but
   authoritative servers could also be vulnerable if they are performing
   DNSSEC validation and using managed-keys.

   Servers which are affected may terminate with an assertion, causing
   denial of service to all clients.

CVSS Score:  5.4
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:C)

   For more information on the Common Vulnerability Scoring System and
   to obtain your specific environmental score please visit:
   http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:N/A:C)

Workarounds:

   For a workaround, do not use "auto" for the dnssec-validation or
   dnssec-lookaside options and do not configure a managed-keys
   statement.  In order to do DNSSEC validation with this workaround one
   would have to configure an explicit trusted-keys statement with the
   appropriate keys.

Active exploits:

   No known active exploits.

Solution:  

   Upgrade to the patched release most closely related to your current
   version of BIND. These can be downloaded from
   http://www.isc.org/downloads.

    BIND 9.9.6-P2
    BIND 9.10.1-P2

   The issue is also fixed in the BIND development releases:

    BIND 9.9.7rc2
    BIND 9.10.2rc2

Acknowledgements:

   ISC would like to thank Jan-Piet Mens for reporting this issue.

Document Revision History:

1.0 Advance Notification, 11 February 2015
2.0 Updated Workaround section, Public Disclosure, 18 February 2015

Related Documents:

   See our BIND9 Security Vulnerability Matrix at
   https://kb.isc.org/article/AA-00913 for a complete listing of
   Security Vulnerabilities and versions affected. 

   If you'd like more information on ISC Subscription Support and
   Advance Security Notifications, please visit
   http://www.isc.org/support/.

   Do you still have questions?  Questions regarding this advisory
   should go to security-officer at isc.org.
   
   To report a new issue, please encrypt your message using
   security-officer at isc.org's PGP key which can be found here:
   https://www.isc.org/downloads/software-support-policy/openpgp-key/.
   If you are unable to use encrypted email, you may also report new
   issues at: https://www.isc.org/community/report-bug/.

Note:

   ISC patches only currently supported versions. When possible we
   indicate EOL versions affected.  (For current information on which
   versions are actively supported, please see
   http://www.isc.org/downloads/). 

ISC Security Vulnerability Disclosure Policy:

   Details of our current security advisory policy and practice can be
   found here:
   https://kb.isc.org/article/AA-00861/164/ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html

This Knowledge Base article https://kb.isc.org/article/AA-01235 is the
complete and official security advisory document. 

Legal Disclaimer:

   Internet Systems Consortium (ISC) is providing this notice on an "AS
   IS" basis. No warranty or guarantee of any kind is expressed in this
   notice and none should be implied. ISC expressly excludes and
   disclaims any warranties regarding this notice or materials referred
   to in this notice, including, without limitation, any implied
   warranty of merchantability, fitness for a particular purpose,
   absence of hidden defects, or of non-infringement. Your use or
   reliance on this notice or materials referred to in this notice is at
   your own risk. ISC may change this notice at any time.  A stand-alone
   copy or paraphrase of the text of this document that omits the
   document URL is an uncontrolled copy.  Uncontrolled copies may lack
   important information, be out of date, or contain factual errors.

(c) 2001-2015 Internet Systems Consortium

More information about the bind-announce mailing list