Bugzilla – Bug 987866
VUL-1: CVE-2016-6170: bind: malicious primary DNS servers can crash secondaries
Last modified: 2020-09-24 14:58:03 UTC
via oss-sec http://seclists.org/oss-sec/2016/q3/19 "most DNS server implementations do not implement reasonable restrictions for zone sizes. This allows an explicitly configured primary DNS server for a zone to crash a secondary DNS server, affecting service of other zones hosted on the same secondary server." from https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015058.html > * [ For [LT] Secondary DNS Service ] > > See https://github.com/sischkg/xfer-limit > > Most of authoritative DNS server softwares do not have size limit of > zone transfer. He generated unlimited zone information at master > server, and transfered to slave servers. BIND 9, knot DNS and Power > DNS slave servers received unlimited zone informataion and died. > NSD slave DNS server received unlimited zone data and /tmp became full. > > He generated zone transfer size limit patch for BIND 9, Knot, NSD, > PowerDNS. Third party patches at https://github.com/sischkg/xfer-limit References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6170 http://seclists.org/oss-sec/2016/q3/20
Scenario for a vulnerable configuration: "hidden master" setups, where a DNS service provider pulls a zone via XFER I guess we'll want to wait for something official from ISC.
bugbot adjusting priority
Waiting for patches from upstream project.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-01-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63332
Navin, is this patch enough to mitigate issue? > https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=5f8412a4cb5ee14a0e8cddd4107854b40ee3291e
(In reply to Nikola Pajkovsky from comment #6) > Navin, > > is this patch enough to mitigate issue? > > > https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=5f8412a4cb5ee14a0e8cddd4107854b40ee3291e Based on the solution provided on ISC Knowledge Base and the commit description, this patch is enough to mitigate the issue. - Solution: "ISC wish to stress that the behavior in question is not a failure of BIND to implement DNS protocols correctly, but is if anything an oversight in the protocol. However, for the convenience of operators who take zone data from untrusted sources (such as secondary name service providers) we have committed to delivering a feature in upcoming maintenance releases of BIND which will address the issue by allowing operators to set limits on the maximum zone size BIND will accept." - Commit message: 4504. [security] Allow the maximum number of records in a zone to be specified. This provides a control for issues raised in CVE-2016-6170. [RT #42143]
Leonardo suggest, that further code/security review should have been done here. I have, meanwhile, done backporting for sles12-sp1, sles11-sp4 and sles11-sp4 in bsc#1028603. So I'm attaching following patches: [v2] sles12-sp1-bind-CVE-2016-6170.patch [v1] sles11-sp4-bind-CVE-2016-6170.patch [v1] sles11-sp1-bind-CVE-2016-6170.patch Please do code review.
Created attachment 719774 [details] [v2] sles12-sp1-bind-CVE-2016-6170.patch
Created attachment 719775 [details] [v1] sles11-sp4-bind-CVE-2016-6170.patch
Created attachment 719777 [details] v1] sles11-sp1-bind-CVE-2016-6170.patch
Changes look good to me.
SUSE-SU-2017:0998-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1020983,1033466,1033467,1033468,987866,989528 CVE References: CVE-2016-2775,CVE-2016-6170,CVE-2017-3136,CVE-2017-3137,CVE-2017-3138 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): bind-9.9.9P1-59.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): bind-9.9.9P1-59.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): bind-9.9.9P1-59.1 SUSE Linux Enterprise Server 12-SP2 (src): bind-9.9.9P1-59.1 SUSE Linux Enterprise Server 12-SP1 (src): bind-9.9.9P1-59.1 SUSE Linux Enterprise Desktop 12-SP2 (src): bind-9.9.9P1-59.1 SUSE Linux Enterprise Desktop 12-SP1 (src): bind-9.9.9P1-59.1
SUSE-SU-2017:0999-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1033466,1033467,1033468,987866,989528 CVE References: CVE-2016-2775,CVE-2016-6170,CVE-2017-3136,CVE-2017-3137,CVE-2017-3138 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): bind-9.9.9P1-28.34.1 SUSE Linux Enterprise Server 12-LTSS (src): bind-9.9.9P1-28.34.1
SUSE-SU-2017:1000-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1033466,1033467,1033468,987866,989528 CVE References: CVE-2016-2775,CVE-2016-6170,CVE-2017-3136,CVE-2017-3137,CVE-2017-3138 Sources used: SUSE OpenStack Cloud 5 (src): bind-9.9.6P1-0.44.1 SUSE Manager Proxy 2.1 (src): bind-9.9.6P1-0.44.1 SUSE Manager 2.1 (src): bind-9.9.6P1-0.44.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): bind-9.9.6P1-0.44.1 SUSE Linux Enterprise Server 11-SP4 (src): bind-9.9.6P1-0.44.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): bind-9.9.6P1-0.44.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): bind-9.9.6P1-0.44.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): bind-9.9.6P1-0.44.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): bind-9.9.6P1-0.44.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-04-20. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63541
openSUSE-SU-2017:1063-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1020983,1033466,1033467,1033468,987866,989528 CVE References: CVE-2016-2775,CVE-2016-6170,CVE-2017-3136,CVE-2017-3137,CVE-2017-3138 Sources used: openSUSE Leap 42.2 (src): bind-9.9.9P1-48.3.1 openSUSE Leap 42.1 (src): bind-9.9.9P1-51.1
released