Opened 6 years ago

Closed 6 years ago

#803 closed incident (worksforme)

Kwetsbaarheid gevonden in Delegation Handeling in BIND, PowerDNS en Unbound

Reported by: mbreet Owned by:
Keywords: security Cc:
Location: Generiek

Description

Via security bulletin. WL gebruikt toch ook Unbound?

Samenvatting

Doordat het aantal recursive queries in resolvers van BIND,
PowerDNS en Unbound niet gelimiteerd worden, is het mogelijk dat
met een speciale setup de resolvers in een oneindige loop terecht
kunnen komen.

Gevolgen

De resources op de resolvers zullen door de oneindige loop
langzamerhand volraken waardoor de resolver niet meer antwoord op
queries. Dit met een Denial of Service (DoS) tot gevolg.

Beschrijving

BIND:
By making use of maliciously-constructed zones or a rogue server,
an attacker can exploit an oversight in the code BIND 9 uses to
follow delegations in the Domain Name Service, causing BIND to
issue unlimited queries in an attempt to follow the delegation.
This can lead to resource exhaustion and denial of service (up to
and including termination of the named server process.)
Versions affected: 9.0.x -> 9.8.x, 9.9.0 -> 9.9.6, 9.10.0 -> 9.10.1
CVE-2014-8500


PowerDNS:

This problem can be triggered by sending queries for specifically
configured domains.
Affects: PowerDNS Recursor versions 3.6.1 and earlier
CVE-2014-8601


Unbound:

The resolver can be tricked into following an endless series of
delegations, this consumes a lot of resources. A patch is
available that limits the number of fetches performed for a query.
Affects: Ubound 1.50 and earlier
CVE-2014-8602

Oplossing / Work-around

KPN-CERT raadt aan om resolvers zo snel mogelijk te updaten naar de
laatste versie.


BIND:

BIND 9 version 9.9.6-P1
BIND 9 version 9.10.1-P1


PowerDNS:

PowerDNS Recursor 3.6.2


Unbound:

The proper fix is a patch, which is available:

http://unbound.net/downloads/patch_cve_2014_8602.diff


A very simple workaround is to ignore the problem and let existing
anti-DoS systems in unbound deal with the issue. It will consume a
lot of resources, but other customers will (most likely) continue
to get service.

Links

http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/
https://kb.isc.org/article/AA-01216
http://www.unbound.net/downloads/CVE-2014-8602.txt

Change History (1)

comment:1 Changed 6 years ago by mbreet

Resolution: worksforme
Status: newclosed
Note: See TracTickets for help on using tickets.