freebsd security - Feb 2015 - FreeBSD Security Advisory FreeBSD-SA-15:05.bind

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

============================================================================FreeBSD-SA-15:05.bind
Security Advisory
                                                          The FreeBSD Project

Topic:          BIND remote denial of service vulnerability

Category:       contrib
Module:         bind
Announced:      2015-02-25
Credits:        ISC
Affects:        FreeBSD 8.x and FreeBSD 9.x.
Corrected:      2015-02-18 22:20:19 UTC (stable/9, 9.3-STABLE)
                2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10)
                2015-02-18 22:29:52 UTC (stable/8, 8.4-STABLE)
                2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24)
CVE Name:       CVE-2015-1349

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

II.  Problem Description

BIND servers which are configured to perform DNSSEC validation and which
are using managed keys (which occurs implicitly when using
"dnssec-validation auto;" or "dnssec-lookaside auto;") may
exhibit
unpredictable behavior due to the use of an improperly initialized
variable.

III. Impact

A remote attacker can trigger a crash of a name server that is configured
to use managed keys under specific and limited circumstances.  However,
the complexity of the attack is very high unless the attacker has a
specific network relationship to the BIND server which is targeted.

IV.  Workaround

Only systems that runs BIND, including recursive resolvers and authoritative
servers that performs DNSSEC validation and using managed-keys are affected.

This issue can be worked around by not using "auto" for the
dnssec-validation
or dnssec-lookaside options and do not configure a managed-keys statement.
Note that in order to do DNSSEC validation with this workaround one would
have to configure an explicit trusted-keys statement with the appropriate
keys.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-15:05/bind.patch
# fetch https://security.FreeBSD.org/patches/SA-15:05/bind.patch.asc
# gpg --verify bind.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the applicable daemons, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/8/                                                         r278973
releng/8.4/                                                       r279265
stable/9/                                                         r278972
releng/9.3/                                                       r279265
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://kb.isc.org/article/AA-01235>

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1349>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:05.bind.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.1 (FreeBSD)

iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnKkgP/3vUBO8o5ofQFMUYSS1siPxZ
63OeeRlMabEgiWZaQ+V2O7/CPrHDIgJHQABx9kNoiutWD9TC3c5f7Yh4nfaXmbKe
Ncu3EjF1Zw/uGbu3cXjboX0CYnBDYrPNJnzIvSG0UlTY5hEIi3FgN4v2Q3gzuU/2
3aUlFHyZb4GVzK+lA+wD0unOc6+il6LHPpSzwRbLpNxCB2J582HoCuw9i5NfMiOB
KP8axZeNZLMpE90s3H/VD+7UIoe6eOC0kykH/DpuUIUxxlExK9c8f9QurpoCnOrV
qwPAeWEYjmjZmMFivVZf5ugir6diaenfPjpXvUGNz2pCp5wlRkku71sMDsgnErX2
Fnuc6nCXqTb/XX6zQmz/236EEVr2UBuX0cXWT0Dvu8GznMij/s4J+9+/Pkjp/mr7
PfXj4H9UMv2Q3zOW7+Vb2Ru0zwfL9Dt90SyNbvt6DOA9KSNnUZIkN/pbKuS9fnHX
Pw7eiNPs4Rq0Ui1DJDWVsJnZV2aVSw+qHxeMVtjCWbx3O7IVGgj5W7i95iAPHRJ4
PVd1oaI2WsteoLNGpfXUD5sQr9yFRU/mRKtgSjxtKRV/nIkdwfTNcHHXIl0XuIWw
C7VmAjlZgqj7aacTZWiVXqiFkN6gDjjFv1lVYmuDQOiK52JCbcBavYnxzZxVzuSa
yIpDuhJS5vIt/B5oepoZ
=uquT
-----END PGP SIGNATURE-----

On Wed, Feb 25, 2015 at 6:29 AM, FreeBSD Security Advisories
<security-advisories at freebsd.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
============================================================================>
FreeBSD-SA-15:05.bind                                       Security Advisory
>                                                           The FreeBSD
Project
>
> Topic:          BIND remote denial of service vulnerability
>
> Category:       contrib
> Module:         bind
> Announced:      2015-02-25
> Credits:        ISC
> Affects:        FreeBSD 8.x and FreeBSD 9.x.
> Corrected:      2015-02-18 22:20:19 UTC (stable/9, 9.3-STABLE)
>                 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10)
>                 2015-02-18 22:29:52 UTC (stable/8, 8.4-STABLE)
>                 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24)
> CVE Name:       CVE-2015-1349
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
>
> I.   Background
>
> BIND 9 is an implementation of the Domain Name System (DNS) protocols.
> The named(8) daemon is an Internet Domain Name Server.
>
> II.  Problem Description
>
> BIND servers which are configured to perform DNSSEC validation and which
> are using managed keys (which occurs implicitly when using
> "dnssec-validation auto;" or "dnssec-lookaside auto;")
may exhibit
> unpredictable behavior due to the use of an improperly initialized
> variable.
>
> III. Impact
>
> A remote attacker can trigger a crash of a name server that is configured
> to use managed keys under specific and limited circumstances.  However,
> the complexity of the attack is very high unless the attacker has a
> specific network relationship to the BIND server which is targeted.
>
> IV.  Workaround
>
> Only systems that runs BIND, including recursive resolvers and
authoritative
> servers that performs DNSSEC validation and using managed-keys are
affected.
>
> This issue can be worked around by not using "auto" for the
dnssec-validation
> or dnssec-lookaside options and do not configure a managed-keys statement.
> Note that in order to do DNSSEC validation with this workaround one would
> have to configure an explicit trusted-keys statement with the appropriate
> keys.
>
> V.   Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
>
> 2) To update your vulnerable system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
>
Seems like freebsd-update is throwing some error:

root at 04-dev:~ # freebsd-update install
Installing updates...install:
///usr/src/crypto/openssl/util/mkbuildinf.pl: No such file or
directory
 done.
root at 04-dev:~ # uname -a
FreeBSD 04-dev 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #0: Tue Jan 27
08:55:07 UTC 2015
root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

Anything to worry about?

Kind regards,
Bartek Rutkowski

Hi Security Officials of FreeBSD,
On 24 February 2015 at 22:29, FreeBSD Security Advisories
<security-advisories at freebsd.org> wrote:
> 2) To update your vulnerable system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install

My recommendation as a self check:

Recommend users run freebsd-version -k and freebsd-version -u and
indicate in the SA what they should see as a result.

I know you don't want to give a false sense of security but when the
result of following the prescribed advice is:
freebsd-update install
Installing updates...install:
///usr/src/crypto/openssl/util/mkbuildinf.pl: No such file or
directory

It may be ideal to let users know how to check their systems.

-- 
-------
inum: 883510009027723
sip: jungleboogie at sip2sip.info
xmpp: jungle-boogie at jit.si