Re: About CVE-2015-5477 (An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure)
On Tue, Jul 28, 2015 at 07:06:16PM -0400, Ben Croswell wrote: Is it safe to say the only vulnerable hosts would be those accepting queries from the outside world, or would this also pertain servers getting responses from the outside world with no inbound queries? I would ask where does the outside world begin? Many sites serve users with vulnerabilities. Have you ever had botnet traffic originating from your network? (I have, not fun.) Otherwise your premise is valid; the malicious query comes to your named via port 53 UDP or TCP, not as a reply from another server. But if you're thinking it's okay because you're going to deny the query, no! This happens before named gets to that point. Your nameserver must be closed to ALL potentially hostile queries. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About CVE-2015-5477 (An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure)
Is it safe to say the only vulnerable hosts would be those accepting queries from the outside world, or would this also pertain servers getting responses from the outside world with no inbound queries? On Jul 28, 2015 5:42 PM, Michael McNally mcna...@isc.org wrote: As the security incident manager for this particular vulnerability notification, I'd like to say a little extra, beyond our official vulnerability disclosure (https://kb.isc.org/article/AA-01272) about this critical defect in BIND. Many of our bugs are limited in scope or affect only users having a particular set of configuration choices. CVE-2015-5477 does not fall into that category. Almost all unpatched BIND servers are potentially vulnerable. We know of no configuration workarounds. Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then. And the fix for this defect is very localized to one specific area of the BIND code. The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer. I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind. Please take steps to patch immediately. This bug is designated Critical and it deserves that designation. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
About CVE-2015-5477 (An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure)
As the security incident manager for this particular vulnerability notification, I'd like to say a little extra, beyond our official vulnerability disclosure (https://kb.isc.org/article/AA-01272) about this critical defect in BIND. Many of our bugs are limited in scope or affect only users having a particular set of configuration choices. CVE-2015-5477 does not fall into that category. Almost all unpatched BIND servers are potentially vulnerable. We know of no configuration workarounds. Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then. And the fix for this defect is very localized to one specific area of the BIND code. The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer. I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind. Please take steps to patch immediately. This bug is designated Critical and it deserves that designation. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users