Subject: NetBSD Security Advisory 2006-022: BIND recursive query and SIG query processing
To: None <current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: current-users
Date: 09/21/2006 22:36:01
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2006-022
		 =================================

Topic:		BIND recursive query and SIG query processing

Version:	NetBSD-current:	source prior to September 05, 2006
		NetBSD 4.0_BETA:	affected
		NetBSD 3.1_RC3:		not affected
		NetBSD 3.0.*:		affected
		NetBSD 3.0:		affected
		NetBSD 2.1:		not affected
		NetBSD 2.0.*:		not affected
		NetBSD 2.0:		not affected
		pkgsrc:			bind-9.3.2nb1 and earlier

Severity:	Denial of service

Fixed:		NetBSD-current:		September 05, 2006
		NetBSD-4 branch:	September 06, 2006
			(4.0 will include the fix)	
		NetBSD-3-0 branch:	September 06, 2006
			(3.0.2 will include the fix)
		NetBSD-3 branch:	September 06, 2006
			(3.1 will include the fix)
		pkgsrc:			bind-9.3.2nb2 corrects the issue


Abstract
========

Two denial of service vulnerabilities have been reported in bind which
can cause the name server daemon to crash.  The vulnerabilities relate
to the processing of SIG queries and recursive queries.

The SIG query processing issue has been assigned CVE reference CVE-2006-4095.
The recursive query issue has been assigned CVE reference CVE-2006-4096.


Technical Details
=================

Issue #1: SIG query processing

It is possible for an attacker to crash a name server by sending
certain SIG queries.  SIG queries are a part of the RFC 2535 DNSSEC 
extensions.  The exploitation of this issue is dependent on the 
configuration of the name server that receives the query:

* Recursive servers
Queries for SIG records will trigger an assertion failure if more
than one RRset is returned.

* Authoritative servers
Queries for SIG records will trigger and assertion failure where 
there are multiple RRsets when the name server tries to construct 
the response.


Issue #2: Recursive query handling

It is possible for an attacker to crash a name server by sending
enough recursive queries that the response to the query arrives 
after all the clients looking for the response have left the 
recursion queue.


For further information see:
 * http://www.niscc.gov.uk/niscc/docs/re-20060905-00590.pdf?lang=en
 * http://www.kb.cert.org/vuls/id/915404
 * http://www.kb.cert.org/vuls/id/697164


Solutions and Workarounds
=========================

If your name server is not configured to process SIG queries then you
are not vulnerable to the SIG denial of service attack.  Both
vulnerabilities can be mitigated by limiting who can perform specific
queries against the name server.  

In particular, it is recommended practice, regardless of this
vulnerability, to accept recursive queries only from local clients who
would be expected to query this nameserver directly, not from unknown
Internet sources.  The 'allow-recursion' directive in the options
section of named.conf should be configured with an appropriate address
list, as in the following simple example:

options {
        directory "/etc/namedb";
        allow-recursion { 1.2.3.4/24; 127.0.0.1/32; ::1; };
};


It is recommended that NetBSD users of vulnerable versions update
their binaries.

The following instructions describe how to upgrade your bind
binaries by updating your source tree and rebuilding and
installing a new version of bind.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2006-09-05
	should be upgraded to NetBSD-current dated 2006-09-06 or later.

	The following files need to be updated from CVS HEAD:
		dist/bind/bin/named/query.c
		dist/bind/lib/dns/resolver.c

	To update from CVS, re-build, and re-install bind:

		# cd src
		# cvs update dist/bind/bin/named/query.c
		# cvs update dist/bind/lib/dns/resolver.c
		# cd usr.sbin/bind
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 3.*:

	Systems running NetBSD 3.* sources dated from before
	2006-09-06 should be upgraded from NetBSD 3.* sources dated
	2006-09-07 or later.

	The following files need to be updated from the
	netbsd-3 or netbsd-3-0 CVS branch:
		dist/bind/bin/named/query.c
		dist/bind/lib/dns/resolver.c

	To update from CVS, re-build, and re-install bind:

		# cd src
		# cvs update -r <branch_name> dist/bind/bin/named/query.c
		# cvs update -r <branch_name> dist/bind/lib/dns/resolver.c
		# cd usr.sbin/bind
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


Thanks To
=========

CERT for notification and co-ordination of the issue.  The Internet
Software Consortium is credited with the discovery and correction of
both issues.


Revision History
================

	2006-09-21	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-022.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2006, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2006-022.txt,v 1.3 2006/09/21 13:33:13 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (NetBSD)

iQCVAwUBRRL0BD5Ru2/4N2IFAQIGFwP+PMHCaLRoiipoFsiyBoNTjhRvePkwPOit
d1W6hW45QW8w1RBwMdACupZDz/c/U1KwyyO2A20IzZm5INSmA08fBj6VFoubgwHa
cb9O0zwTChoehozqUga8Mad1sLjts5avp9TyVguXdhiCvK8QTIOVyM5K74IwChxg
QpevrgNufMw=
=oArz
-----END PGP SIGNATURE-----