Debian Bug report logs -
#966497
CVE-2020-8624: update-policy rules of type subdomain are enforced incorrectly
Reported by: Joop Boonen <joop.boonen@credativ.de>
Date: Wed, 29 Jul 2020 11:21:02 UTC
Severity: important
Tags: fixed-upstream, security
Found in version bind9/1:9.11.5.P4+dfsg-5.1+deb10u1
Fixed in version bind9/1:9.16.6-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian DNS Team <team+dns@tracker.debian.org>:
Bug#966497; Package bind9.
(Wed, 29 Jul 2020 11:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Joop Boonen <joop.boonen@credativ.de>:
New Bug report received and forwarded. Copy sent to Debian DNS Team <team+dns@tracker.debian.org>.
(Wed, 29 Jul 2020 11:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: bind9
Version: 1:9.11.5.P4+dfsg-5.1+deb10u1
Problem:
update-policy { grant dev.DOMAIN.TLD subdomain dev.DOMAIN.TLD a aaaa txt; } is
not handled correctly
Debian Stretch (9.10.3) doesn't have this issue.
It is also possible to change entries in DOMAIN.TLD
Configuration part:
include "/etc/bind/dev.key";
zone DOMAIN.TLD {
type master;
file "/var/lib/bind/zones/DOMAIN.TLD";
key-directory "/var/lib/bind/keys";
masterfile-format raw;
update-policy {
grant dhcp zonesub a dhcid;
grant local-ddns zonesub any;
grant dev.DOMAIN.TLD subdomain dev.DOMAIN.TLD a aaaa txt;
};
allow-transfer {
local;
};
};
nsupdate key:
cat /etc/bind/dev.key
key "dev.DOMAIN.TLD" {
algorithm hmac-sha512;
secret "******";
};
What is seen on Debian Buster:
nsupdate -k dev.key
> server 192.168.122.129
> ttl 3600
> update add test3.dev.DOMAIN.TLD a 192.0.2.3
> send
> update add test.DOMAIN.TLD a 192.0.2.1
> send
Logging:
Jul 28 16:48:59 debian10-bind named[5894]: client @0x7f5718000c80
192.168.122.1#40886/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': adding
an RR at 'test3.dev.DOMAIN.de' A 192.0.2.3
Jul 28 16:48:59 debain10-bind named[5894]: zone DOMAIN.de/IN: sending notifies
(serial 2020050521)
Jul 28 16:49:07 debian10-bind named[5894]: client @0x7f5718000c80
192.168.122.1#40886/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': adding
an RR at 'test.DOMAIN.de' A 192.0.2.1
Jul 28 16:49:07 debian10-bind named[5894]: zone DOMAIN.de/IN: sending notifies
(serial 2020050522)
How it should look like, Debian Stretch:
nsupdate -k dev.key
> server 192.168.122.40
> ttl 3600
> update add test5.dev.credativ.de a 192.0.2.5
> send
> update add test5.credativ.de a 192.0.2.5
> send
update failed: REFUSED
Logging:
Jul 29 11:37:00 debian9-bind named[515]: client 192.168.122.1#49684/key
dev.credativ.de: updating zone 'credativ.de/IN': adding an RR at
'test5.dev.credativ.de' A 192.0.2.5
Jul 29 11:37:00 debian9-bind named[515]: zone credativ.de/IN: sending notifies
(serial 2020050522)
Jul 29 11:37:16 debian9-bind named[515]: client 192.168.122.1#49684/key
dev.credativ.de: updating zone 'credativ.de/IN': update failed: rejected by
secure update (REFUSED)
A isc issue (bug report) has been created: https://gitlab.isc.org/isc-projects/bind9/-/issues/2055
Regards,
Joop Boonen
Tel.: +49 2166 9901-0
Fax: +49 2166 9901-100
E-Mail: joop.boonen@credativ.de
pgp fingerprint: 9130 2E95 0D0E 1721 EB23 7270 C2C6 B28E 7EA7 F0A4
https://www.credativ.de
credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Trompeterallee 108, 41189 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
Unser Umgang mit personenbezogenen Daten unterliegt
folgenden Bestimmungen: https://www.credativ.de/datenschutz
**********************************************
Jetzt neu:
Elephant Shed - PostgreSQL Appliance
PostgreSQL und alles was dazugehört
Von Backup über Monitoring bis Reporting:
https://elephant-shed.io/index.de.html
**********************************************
[signature.asc (application/pgp-signature, inline)]
Changed Bug title to 'CVE-2020-8624: update-policy rules of type subdomain are enforced incorrectly' from 'Buster: update-policy { grant dev.DOMAIN.TLD subdomain dev.DOMAIN.TLD a aaaa txt; } is not handled correctly'.
Request was from Martin Zobel-Helas <zobel@debian.org>
to control@bugs.debian.org.
(Fri, 21 Aug 2020 09:48:12 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Martin Zobel-Helas <zobel@debian.org>
to control@bugs.debian.org.
(Fri, 21 Aug 2020 09:48:13 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Martin Zobel-Helas <zobel@debian.org>
to control@bugs.debian.org.
(Fri, 21 Aug 2020 09:48:13 GMT) (full text, mbox, link).
Marked as fixed in versions bind9/1:9.16.6-1.
Request was from Martin Zobel-Helas <zobel@debian.org>
to control@bugs.debian.org.
(Fri, 21 Aug 2020 13:33:05 GMT) (full text, mbox, link).
Severity set to 'important' from 'normal'
Request was from Martin Zobel-Helas <zobel@debian.org>
to control@bugs.debian.org.
(Fri, 21 Aug 2020 13:39:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Aug 22 10:23:32 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon