Bug 987866 - (CVE-2016-6170) VUL-1: CVE-2016-6170: bind: malicious primary DNS servers can crash secondaries
(CVE-2016-6170)
VUL-1: CVE-2016-6170: bind: malicious primary DNS servers can crash secondaries
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Navin Kukreja
Security Team bot
https://smash.suse.de/issue/170654/
CVSSv2:SUSE:CVE-2016-6170:5.4:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-06 12:22 UTC by Andreas Stieger
Modified: 2020-09-24 14:58 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
[v2] sles12-sp1-bind-CVE-2016-6170.patch (34.41 KB, patch)
2017-04-04 11:24 UTC, Nikola Pajkovsky
Details | Diff
[v1] sles11-sp4-bind-CVE-2016-6170.patch (33.60 KB, patch)
2017-04-04 11:25 UTC, Nikola Pajkovsky
Details | Diff
v1] sles11-sp1-bind-CVE-2016-6170.patch (34.03 KB, patch)
2017-04-04 11:26 UTC, Nikola Pajkovsky
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-06 12:22:21 UTC
via oss-sec http://seclists.org/oss-sec/2016/q3/19

"most DNS server implementations do not implement reasonable restrictions for zone sizes. This allows an explicitly configured primary DNS server for a zone to crash a secondary DNS server, affecting service of other zones hosted on the same secondary server."

from https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015058.html

> * [ For [LT] Secondary DNS Service ]
> 
>   See https://github.com/sischkg/xfer-limit
> 
>   Most of authoritative DNS server softwares do not have size limit of
>   zone transfer. He generated unlimited zone information at master
>   server, and transfered to slave servers. BIND 9, knot DNS and Power
>   DNS slave servers received unlimited zone informataion and died.
>   NSD slave DNS server received unlimited zone data and /tmp became full.
> 
>   He generated zone transfer size limit patch for BIND 9, Knot, NSD,
>   PowerDNS.

Third party patches at https://github.com/sischkg/xfer-limit

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6170
http://seclists.org/oss-sec/2016/q3/20
Comment 1 Andreas Stieger 2016-07-06 13:26:35 UTC
Scenario for a vulnerable configuration:
"hidden master" setups, where a DNS service provider pulls a zone via XFER

I guess we'll want to wait for something official from ISC.
Comment 2 Swamp Workflow Management 2016-07-06 22:00:26 UTC
bugbot adjusting priority
Comment 3 Andreas Stieger 2016-07-11 09:50:42 UTC
Waiting for patches from upstream project.
Comment 5 Swamp Workflow Management 2017-01-09 12:57:59 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-01-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63332
Comment 6 Nikola Pajkovsky 2017-03-14 08:53:19 UTC
Navin,

is this patch enough to mitigate issue?

> https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=5f8412a4cb5ee14a0e8cddd4107854b40ee3291e
Comment 7 Navin Kukreja 2017-03-15 15:20:49 UTC
(In reply to Nikola Pajkovsky from comment #6)
> Navin,
> 
> is this patch enough to mitigate issue?
> 
> > https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=5f8412a4cb5ee14a0e8cddd4107854b40ee3291e

Based on the solution provided on ISC Knowledge Base and the commit description, this patch is enough to mitigate the issue.

- Solution:  
"ISC wish to stress that the behavior in question is not a failure of BIND to implement DNS protocols correctly, but is if anything an oversight in the protocol.  However, for the convenience of operators who take zone data from untrusted sources (such as secondary name service providers) we have committed to delivering a feature in upcoming maintenance releases of BIND which will address the issue by allowing operators to set limits on the maximum zone size BIND will accept."

- Commit message:
4504.   [security]      Allow the maximum number of records in a zone to
                        be specified.  This provides a control for issues
                        raised in CVE-2016-6170. [RT #42143]
Comment 8 Nikola Pajkovsky 2017-04-04 11:24:04 UTC
Leonardo suggest, that further code/security review should have been done
here. I have, meanwhile, done backporting for sles12-sp1, sles11-sp4 and
sles11-sp4 in bsc#1028603. So I'm attaching following patches:

  [v2] sles12-sp1-bind-CVE-2016-6170.patch
  [v1] sles11-sp4-bind-CVE-2016-6170.patch
  [v1] sles11-sp1-bind-CVE-2016-6170.patch

Please do code review.
Comment 9 Nikola Pajkovsky 2017-04-04 11:24:39 UTC
Created attachment 719774 [details]
[v2] sles12-sp1-bind-CVE-2016-6170.patch
Comment 10 Nikola Pajkovsky 2017-04-04 11:25:30 UTC
Created attachment 719775 [details]
[v1] sles11-sp4-bind-CVE-2016-6170.patch
Comment 11 Nikola Pajkovsky 2017-04-04 11:26:04 UTC
Created attachment 719777 [details]
v1] sles11-sp1-bind-CVE-2016-6170.patch
Comment 12 Navin Kukreja 2017-04-06 08:31:54 UTC
Changes look good to me.
Comment 18 Swamp Workflow Management 2017-04-13 04:10:31 UTC
SUSE-SU-2017:0998-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1020983,1033466,1033467,1033468,987866,989528
CVE References: CVE-2016-2775,CVE-2016-6170,CVE-2017-3136,CVE-2017-3137,CVE-2017-3138
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    bind-9.9.9P1-59.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    bind-9.9.9P1-59.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    bind-9.9.9P1-59.1
SUSE Linux Enterprise Server 12-SP2 (src):    bind-9.9.9P1-59.1
SUSE Linux Enterprise Server 12-SP1 (src):    bind-9.9.9P1-59.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    bind-9.9.9P1-59.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    bind-9.9.9P1-59.1
Comment 19 Swamp Workflow Management 2017-04-13 04:11:33 UTC
SUSE-SU-2017:0999-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1033466,1033467,1033468,987866,989528
CVE References: CVE-2016-2775,CVE-2016-6170,CVE-2017-3136,CVE-2017-3137,CVE-2017-3138
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    bind-9.9.9P1-28.34.1
SUSE Linux Enterprise Server 12-LTSS (src):    bind-9.9.9P1-28.34.1
Comment 20 Swamp Workflow Management 2017-04-13 04:12:40 UTC
SUSE-SU-2017:1000-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1033466,1033467,1033468,987866,989528
CVE References: CVE-2016-2775,CVE-2016-6170,CVE-2017-3136,CVE-2017-3137,CVE-2017-3138
Sources used:
SUSE OpenStack Cloud 5 (src):    bind-9.9.6P1-0.44.1
SUSE Manager Proxy 2.1 (src):    bind-9.9.6P1-0.44.1
SUSE Manager 2.1 (src):    bind-9.9.6P1-0.44.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    bind-9.9.6P1-0.44.1
SUSE Linux Enterprise Server 11-SP4 (src):    bind-9.9.6P1-0.44.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    bind-9.9.6P1-0.44.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    bind-9.9.6P1-0.44.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    bind-9.9.6P1-0.44.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    bind-9.9.6P1-0.44.1
Comment 21 Swamp Workflow Management 2017-04-13 06:35:47 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-04-20.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63541
Comment 22 Swamp Workflow Management 2017-04-19 19:10:10 UTC
openSUSE-SU-2017:1063-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1020983,1033466,1033467,1033468,987866,989528
CVE References: CVE-2016-2775,CVE-2016-6170,CVE-2017-3136,CVE-2017-3137,CVE-2017-3138
Sources used:
openSUSE Leap 42.2 (src):    bind-9.9.9P1-48.3.1
openSUSE Leap 42.1 (src):    bind-9.9.9P1-51.1
Comment 23 Marcus Meissner 2017-07-04 12:56:29 UTC
released