bind9: CVE-2018-5743: Limiting simultaneous TCP clients is ineffective

Debian Bug report logs - #927932
bind9: CVE-2018-5743: Limiting simultaneous TCP clients is ineffective

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: bind9: CVE-2018-5743: Limiting simultaneous TCP clients is ineffective

Date: Thu, 25 Apr 2019 08:49:02 +0200

Package: src:bind9
Severity: grave
Tags: security, upstream

CVE:                 CVE-2018-5743
Document version:    2.0
Posting date:        24 April 2019
Program impacted:    BIND
Versions affected:   BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6,
                     9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview
                     Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5.
		     Versions 9.13.0 -> 9.13.7 of the 9.13 development branch
		     are also affected. Versions prior to BIND 9.9.0 have not
                     been evaluated for vulnerability to CVE-2018-5743.
Severity:            High
Exploitable:         Remotely

Description:

   By design, BIND is intended to limit the number of TCP clients
   that can be connected at any given time. The number of allowed
   connections is a tunable parameter which, if unset, defaults to
   a conservative value for most servers. Unfortunately, the code
   which was intended to limit the number of simultaneous connections
   contains an error which can be exploited to grow the number of
   simultaneous connections beyond this limit.

Impact:

   By exploiting the failure to limit simultaneous TCP connections,
   an attacker can deliberately exhaust the pool of file descriptors
   available to named, potentially affecting network connections
   and the management of files such as log files or zone journal
   files.

   In cases where the named process is not limited by OS-enforced
   per-process limits, this could additionally potentially lead to
   exhaustion of all available free file descriptors on that system.

CVSS Score:          7.5
CVSS Vector:         CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Workarounds:

   None.

Active exploits:

   No known deliberate exploits, but the situation may occur
   accidentally on busy servers.

   It is possible for operators to mistakenly believe that their
   configured (or default) limit is sufficient for their typical
   operations, when in fact it is not. Following an upgrade to a
   version that effectively applies limits, named may deny connections
   which were previously improperly permitted. Operators can monitor
   their logs for rejected connections, keep an eye on "rndc status"
   reports of simultaneous connections, or use other tools to monitor
   whether the now-effective limits are causing problems for
   legitimate clients. Should this be the case, increasing the value
   of the tcp-clients setting in named.conf to an appropriate value
   would be recommended.

Solution:

   Upgrade to a version of BIND containing a fix for the ineffective
   limits.

   -  BIND 9.11.6-P1
   -  BIND 9.12.4-P1
   -  BIND 9.14.1

   BIND Supported Preview Edition is a special feature preview
   branch of BIND provided to eligible ISC support customers.

   -  BIND 9.11.5-S6
   -  BIND 9.11.6-S1

Acknowledgements:

   ISC would like to thank AT&T for helping us to discover this
   issue.

Document revision history:

   1.0 Advance Notification, 16 January 2019
   1.1 Recall due to error in original fix, 17 January 2019
   1.3 Replacement fix delivered to Advance Notification customers, 15
April 2019
   1.4 Corrected Versions affected and Solution, 16 April 2019
   1.5 Added reference to BIND 9.11.6-S1
   2.0 Public disclosure, 24 April 2019

Related documents:

   See our BIND 9 Security Vulnerability Matrix for a complete
   listing of security vulnerabilities and versions affected.

Do you still have questions? Questions regarding this advisory
should go to security-officer@isc.org. To report a new issue, please
encrypt your message using security-officer@isc.org's PGP key which
can be found here:
   https://www.isc.org/downloads/software-support-policy/openpgp-key
If you are unable to use encrypted email, you may also report new
issues at: https://www.isc.org/community/report-bug/.

Note:

   ISC patches only currently supported versions. When possible we
   indicate EOL versions affected. (For current information on which
   versions are actively supported, please see
   https://www.isc.org/downloads/.)

ISC Security Vulnerability Disclosure Policy:

   Details of our current security advisory policy and practice can
   be found in the ISC Software Defect and Security Vulnerability
   Disclosure Policy.

Legal Disclaimer:

   Internet Systems Consortium (ISC) is providing this notice on
   an "AS IS" basis. No warranty or guarantee of any kind is expressed
   in this notice and none should be implied. ISC expressly excludes
   and disclaims any warranties regarding this notice or materials
   referred to in this notice, including, without limitation, any
   implied warranty of merchantability, fitness for a particular
   purpose, absence of hidden defects, or of non-infringement. Your
   use or reliance on this notice or materials referred to in this
   notice is at your own risk. ISC may change this notice at any
   time. A stand-alone copy or paraphrase of the text of this
   document that omits the document URL is an uncontrolled copy.
   Uncontrolled copies may lack important information, be out of
   date, or contain factual errors.

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: Bernhard Schmidt <berni@debian.org>, 927932@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#927932: bind9: CVE-2018-5743: Limiting simultaneous TCP clients is ineffective

Date: Thu, 25 Apr 2019 08:55:28 +0200

I’ll have a patch for platforms without atomic support for you.

--
Ondřej Surý <ondrej@sury.org>

> On 25 Apr 2019, at 08:49, Bernhard Schmidt <berni@debian.org> wrote:
> 
> Package: src:bind9
> Severity: grave
> Tags: security, upstream
> 
> CVE:                 CVE-2018-5743
> Document version:    2.0
> Posting date:        24 April 2019
> Program impacted:    BIND
> Versions affected:   BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6,
>                     9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview
>                     Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5.
>             Versions 9.13.0 -> 9.13.7 of the 9.13 development branch
>             are also affected. Versions prior to BIND 9.9.0 have not
>                     been evaluated for vulnerability to CVE-2018-5743.
> Severity:            High
> Exploitable:         Remotely
> 
> Description:
> 
>   By design, BIND is intended to limit the number of TCP clients
>   that can be connected at any given time. The number of allowed
>   connections is a tunable parameter which, if unset, defaults to
>   a conservative value for most servers. Unfortunately, the code
>   which was intended to limit the number of simultaneous connections
>   contains an error which can be exploited to grow the number of
>   simultaneous connections beyond this limit.
> 
> Impact:
> 
>   By exploiting the failure to limit simultaneous TCP connections,
>   an attacker can deliberately exhaust the pool of file descriptors
>   available to named, potentially affecting network connections
>   and the management of files such as log files or zone journal
>   files.
> 
>   In cases where the named process is not limited by OS-enforced
>   per-process limits, this could additionally potentially lead to
>   exhaustion of all available free file descriptors on that system.
> 
> CVSS Score:          7.5
> CVSS Vector:         CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> 
> For more information on the Common Vulnerability Scoring System and
> to obtain your specific environmental score please visit:
> https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
> 
> Workarounds:
> 
>   None.
> 
> Active exploits:
> 
>   No known deliberate exploits, but the situation may occur
>   accidentally on busy servers.
> 
>   It is possible for operators to mistakenly believe that their
>   configured (or default) limit is sufficient for their typical
>   operations, when in fact it is not. Following an upgrade to a
>   version that effectively applies limits, named may deny connections
>   which were previously improperly permitted. Operators can monitor
>   their logs for rejected connections, keep an eye on "rndc status"
>   reports of simultaneous connections, or use other tools to monitor
>   whether the now-effective limits are causing problems for
>   legitimate clients. Should this be the case, increasing the value
>   of the tcp-clients setting in named.conf to an appropriate value
>   would be recommended.
> 
> Solution:
> 
>   Upgrade to a version of BIND containing a fix for the ineffective
>   limits.
> 
>   -  BIND 9.11.6-P1
>   -  BIND 9.12.4-P1
>   -  BIND 9.14.1
> 
>   BIND Supported Preview Edition is a special feature preview
>   branch of BIND provided to eligible ISC support customers.
> 
>   -  BIND 9.11.5-S6
>   -  BIND 9.11.6-S1
> 
> Acknowledgements:
> 
>   ISC would like to thank AT&T for helping us to discover this
>   issue.
> 
> Document revision history:
> 
>   1.0 Advance Notification, 16 January 2019
>   1.1 Recall due to error in original fix, 17 January 2019
>   1.3 Replacement fix delivered to Advance Notification customers, 15
> April 2019
>   1.4 Corrected Versions affected and Solution, 16 April 2019
>   1.5 Added reference to BIND 9.11.6-S1
>   2.0 Public disclosure, 24 April 2019
> 
> Related documents:
> 
>   See our BIND 9 Security Vulnerability Matrix for a complete
>   listing of security vulnerabilities and versions affected.
> 
> Do you still have questions? Questions regarding this advisory
> should go to security-officer@isc.org. To report a new issue, please
> encrypt your message using security-officer@isc.org's PGP key which
> can be found here:
>   https://www.isc.org/downloads/software-support-policy/openpgp-key
> If you are unable to use encrypted email, you may also report new
> issues at: https://www.isc.org/community/report-bug/.
> 
> Note:
> 
>   ISC patches only currently supported versions. When possible we
>   indicate EOL versions affected. (For current information on which
>   versions are actively supported, please see
>   https://www.isc.org/downloads/.)
> 
> ISC Security Vulnerability Disclosure Policy:
> 
>   Details of our current security advisory policy and practice can
>   be found in the ISC Software Defect and Security Vulnerability
>   Disclosure Policy.
> 
> Legal Disclaimer:
> 
>   Internet Systems Consortium (ISC) is providing this notice on
>   an "AS IS" basis. No warranty or guarantee of any kind is expressed
>   in this notice and none should be implied. ISC expressly excludes
>   and disclaims any warranties regarding this notice or materials
>   referred to in this notice, including, without limitation, any
>   implied warranty of merchantability, fitness for a particular
>   purpose, absence of hidden defects, or of non-infringement. Your
>   use or reliance on this notice or materials referred to in this
>   notice is at your own risk. ISC may change this notice at any
>   time. A stand-alone copy or paraphrase of the text of this
>   document that omits the document URL is an uncontrolled copy.
>   Uncontrolled copies may lack important information, be out of
>   date, or contain factual errors.
> 

Message #32 received at 927932-close@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: 927932-close@bugs.debian.org

Subject: Bug#927932: fixed in bind9 1:9.11.5.P4+dfsg-4

Date: Fri, 26 Apr 2019 09:18:38 +0000

Source: bind9
Source-Version: 1:9.11.5.P4+dfsg-4

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 927932@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 26 Apr 2019 08:33:13 +0000
Source: bind9
Architecture: source
Version: 1:9.11.5.P4+dfsg-4
Distribution: unstable
Urgency: medium
Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Closes: 927827 927932 927962
Changes:
 bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium
 .
   [ Bernhard Schmidt ]
   * AppArmor: Also add /var/lib/samba/bind-dns/dns/** (Closes: #927827)
 .
   [ Ondřej Surý ]
   * [CVE-2018-5743]: Limiting simultaneous TCP clients is ineffective
     (Closes: #927932)
   * Update symbols file for new symbol in libisc
   * Enable EDDSA again, but disable broken Ed448 support (Closes: #927962)
Checksums-Sha1:
 1518620ebadac8956d140d38a5da40628c89b798 4056 bind9_9.11.5.P4+dfsg-4.dsc
 9c792c441040a214a1657161936016c4c8ed39d3 103424 bind9_9.11.5.P4+dfsg-4.debian.tar.xz
 1a16bda35783571b6155fd0f40304cec35c88d99 19521 bind9_9.11.5.P4+dfsg-4_amd64.buildinfo
Checksums-Sha256:
 6d7155f0300229105b86d4579793f3185c146d67d1946b3ea97558b21ba04b33 4056 bind9_9.11.5.P4+dfsg-4.dsc
 4e25ff9e6b2fc28b96050e3f221f39cc85008c8945a8a38bf8b3edc78e18fbe4 103424 bind9_9.11.5.P4+dfsg-4.debian.tar.xz
 c5b83416c21022767414b78c4ebc8e99e276c36f9ee3bcc5f4cacf7dee1f90ab 19521 bind9_9.11.5.P4+dfsg-4_amd64.buildinfo
Files:
 dca09f33c9a24e426e94b75b515ac0e1 4056 net optional bind9_9.11.5.P4+dfsg-4.dsc
 a2ebc8f64a7397658c35c48e578a0508 103424 net optional bind9_9.11.5.P4+dfsg-4.debian.tar.xz
 a332ae8395a0ff00ab5853ec50c5e7b3 19521 net optional bind9_9.11.5.P4+dfsg-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAlzCyOFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcI5/g//UF7vFm5oDq8WjN8aOFf6Iq7DXkzcH6xPKcGJYDcS5bN4ykOGWAluGai/
bVJbQxBe9vc9LPmPx8j/dwY3TJ6XKxD1j3PKyNaY0EAvLhlXwlSCrISh4px7R/wI
6GvP89qXLG62B96Mgz9OdFdA+RR/HM2kSrLj+pc2E38bxwpBUxAMeFkQMLofvhem
F/zhqnSg3v3aLV6c/CRSvYuLW3dftybYc7Hbafv40RtsABFi6O+eMvbs6NPb1D1z
lKhg/ShmX3WyLl439xAhkwlKTpZFIfn9Uu5002zaYXFxrhUsmPB8eknA47KLwFBc
APYwyoALxrTdEjxLrJR6aIpAJWkm3uC2e8nv/rfU4LI0AlWCPGngTGdwoWnEWuqV
M8L3ogkVwrcKXYITn2RTh4ZuCgCH39YiYftZuSrfmcYpg3R7Djuxm/5nuMatEJJ1
av21jo8iA+w4ZU1bWK7jcfP0BL6vKzH7hjlJh4LEwm38socYDtk6ZY3yV6ru9xHX
/wcdFWme7Tc4MnFINIFZ9ohWAI0sz0fiN0xM/lR3kOA085awQ/Z4EtMXXsXXiDYa
aaBlIMJ9tZbSv5Ivra0rJpqYcKWqxid0vGkohF6th6vC6k0ZIFWg7fhB/JZwB4C7
qX2zu9+SdK16GtIVEW5gfhdkY8fhwEYG8guD9l+PpPpnA+ncYco=
=tJrB
-----END PGP SIGNATURE-----

Message #41 received at 927932-close@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>

To: 927932-close@bugs.debian.org

Subject: Bug#927932: fixed in bind9 1:9.10.3.dfsg.P4-12.3+deb9u5

Date: Mon, 13 May 2019 21:17:13 +0000

Source: bind9
Source-Version: 1:9.10.3.dfsg.P4-12.3+deb9u5

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 927932@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 03 May 2019 22:34:35 +0200
Source: bind9
Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-140 libdns162 libirs141 libisc160 liblwres141 libisccc140 libisccfg140 dnsutils lwresd libbind-export-dev libdns-export162 libdns-export162-udeb libisc-export160 libisc-export160-udeb libisccfg-export140 libisccc-export140 libisccc-export140-udeb libisccfg-export140-udeb libirs-export141 libirs-export141-udeb
Architecture: source
Version: 1:9.10.3.dfsg.P4-12.3+deb9u5
Distribution: stretch-security
Urgency: high
Maintainer: Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
 bind9      - Internet Domain Name Server
 bind9-doc  - Documentation for BIND
 bind9-host - Version of 'host' bundled with BIND 9.X
 bind9utils - Utilities for BIND
 dnsutils   - Clients provided with BIND
 host       - Transitional package
 libbind-dev - Static Libraries and Headers used by BIND
 libbind-export-dev - Development files for the exported BIND libraries
 libbind9-140 - BIND9 Shared Library used by BIND
 libdns-export162 - Exported DNS Shared Library
 libdns-export162-udeb - Exported DNS library for debian-installer (udeb)
 libdns162  - DNS Shared Library used by BIND
 libirs-export141 - Exported IRS Shared Library
 libirs-export141-udeb - Exported IRS library for debian-installer (udeb)
 libirs141  - DNS Shared Library used by BIND
 libisc-export160 - Exported ISC Shared Library
 libisc-export160-udeb - Exported ISC library for debian-installer (udeb)
 libisc160  - ISC Shared Library used by BIND
 libisccc-export140 - Command Channel Library used by BIND
 libisccc-export140-udeb - Command Channel Library used by BIND (udeb)
 libisccc140 - Command Channel Library used by BIND
 libisccfg-export140 - Exported ISC CFG Shared Library
 libisccfg-export140-udeb - Exported ISC CFG library for debian-installer (udeb)
 libisccfg140 - Config File Handling Library used by BIND
 liblwres141 - Lightweight Resolver Library used by BIND
 lwresd     - Lightweight Resolver Daemon
Closes: 922954 922955 927932
Changes:
 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u5) stretch-security; urgency=high
 .
   [ Marc Deslauriers (Ubuntu) ]
   * CVE-2018-5743: limiting simultaneous TCP clients is ineffective.
     Thanks to Marc Deslauriers of Ubuntu (Closes: #927932)
 .
   [ Ondřej Surý ]
   * Sync Maintainer and Uploaders with unstable
   * [CVE-2019-6465]: Zone transfer for DLZs are executed though not
     permitted by ACLs. (Closes: #922955)
   * [CVE-2018-5745]: Avoid assertion and thus causing named to
     deliberately exit when a trust anchor's key is replaced with a key
     which uses an unsupported algorithm. (Closes: #922954)
Checksums-Sha1:
 6860272e873dc1832c650fd4297a10e07d8a79f7 3908 bind9_9.10.3.dfsg.P4-12.3+deb9u5.dsc
 4e729f86198c8724c58a2e0dc695cc8be96f2a8a 98420 bind9_9.10.3.dfsg.P4-12.3+deb9u5.debian.tar.xz
 505a434d946ea958238008ce240871e1eb1e9513 21618 bind9_9.10.3.dfsg.P4-12.3+deb9u5_amd64.buildinfo
Checksums-Sha256:
 86ab6f642822821b115319f489a9b64d0b7b2b924a176677b536d5a373a1ec92 3908 bind9_9.10.3.dfsg.P4-12.3+deb9u5.dsc
 0cb2d69f869c45b0ad65253dfce0ec1d850dc70a49eb14169d91b3a06fbb9047 98420 bind9_9.10.3.dfsg.P4-12.3+deb9u5.debian.tar.xz
 bb104617c40823b776a4ac366eb78e295b11c5f83231602cbc6ad188ca411813 21618 bind9_9.10.3.dfsg.P4-12.3+deb9u5_amd64.buildinfo
Files:
 65559b9d5844fc65327fe313b0e408dd 3908 net optional bind9_9.10.3.dfsg.P4-12.3+deb9u5.dsc
 ffa19a3fdd7bda1215cf1dadb3adc4c3 98420 net optional bind9_9.10.3.dfsg.P4-12.3+deb9u5.debian.tar.xz
 0d2a4d0a411005cc2291ac82c4ea5aef 21618 net optional bind9_9.10.3.dfsg.P4-12.3+deb9u5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlzN8lsRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJMJrRAAgWzqfvqdAPWpi/aOL9y79BZRECTKMzn7
OoXDuBju8AbMO92Fs1hWbnTZeWJLxFp1Ht63WG9bmk7lkYzdWvB9OZvlmFmlOY6I
5gNNeSkT+0meW07in6KDZ+StXFrz0LwWDhYFKLKE187AzSK2Rr3ZIo43hFwI1Mif
KXPB4Oun/y1kC+LUJrPZiHfJSoYkBwFiwN+EKgk7JrFgl+1z1wANaeaJooAdUalF
5ICmd/P6X5zrfuMsmcqhCEJWg/zT9f15x+/cYCep+FBhWcFDqPUXlnl9r8USTb1J
d40FSf7Mr6OrCLBaaNBSff1GeIdh7+dBGRlW/Wtw6B6vPqBgT0+QKfY4kmXrjC74
Ryp4J5TvT8TO7F8ejkKVMIsH/OGhJqbJc4/4gmVH438e1Z2cJEn6ywDJN7Z8nhpk
lIRmrVlxj2j6pgxwnThCwxpnJAjuQc5ycbMiMbHSC6Y7vt3D0gqQElsWA8hHYcGc
gyvGeo9i0r1PIJq8U/65YcXgppxUH4L7C+u2Bn0fdQLSNjd+ndupbaQ5u9odqIKu
TxNKaBN+plryrbusLnniXERz0fNx0u4LqdjG8d9T8EkbF3oh4WKs+RAs7wQhcQaZ
7t+5ndumaLgx+/d6xfBERxmnvIc8dLdX49KNY56hbpdlHfYVR0CXUNyq1Vu3BvxO
8obm3n79Ix4=
=LFoK
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.