Merge branch '2055-grant-subdomain-fix-v9_16' into 'security-v9_16'
[CVE-2020-8624] Fix processing of "update-policy" rules of type "subdomain" (v9.16) See merge request isc-private/bind9!197
This commit is contained in:
Michał Kępień
7
CHANGES
7
CHANGES
@@ -10,6 +10,13 @@
|
||||
system, but the Duplicate Address Detection (DAD)
|
||||
mechanism had not yet finished. [GL #2038]
|
||||
|
||||
5481. [security] "update-policy" rules of type "subdomain" were
|
||||
incorrectly treated as "zonesub" rules, which allowed
|
||||
keys used in "subdomain" rules to update names outside
|
||||
of the specified subdomains. The problem was fixed by
|
||||
making sure "subdomain" rules are again processed as
|
||||
described in the ARM. (CVE-2020-8624) [GL #2055]
|
||||
|
||||
5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
|
||||
was possible to trigger an assertion failure in code
|
||||
determining the number of bits in the PKCS#11 RSA public
|
||||
|
||||
@@ -252,7 +252,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
|
||||
|
||||
str = cfg_obj_asstring(matchtype);
|
||||
CHECK(dns_ssu_mtypefromstring(str, &mtype));
|
||||
if (mtype == dns_ssumatchtype_subdomain) {
|
||||
if (mtype == dns_ssumatchtype_subdomain &&
|
||||
strcasecmp(str, "zonesub") == 0) {
|
||||
usezone = true;
|
||||
}
|
||||
|
||||
|
||||
@@ -37,6 +37,16 @@ key altkey {
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key restricted.example.nil {
|
||||
algorithm hmac-md5;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key zonesub-key.example.nil {
|
||||
algorithm hmac-md5;
|
||||
secret "1234subk8765";
|
||||
};
|
||||
|
||||
include "ddns.key";
|
||||
|
||||
zone "example.nil" {
|
||||
@@ -45,7 +55,9 @@ zone "example.nil" {
|
||||
check-integrity no;
|
||||
check-mx ignore;
|
||||
update-policy {
|
||||
grant zonesub-key.example.nil zonesub TXT;
|
||||
grant ddns-key.example.nil subdomain example.nil ANY;
|
||||
grant restricted.example.nil subdomain restricted.example.nil ANY;
|
||||
};
|
||||
allow-transfer { any; };
|
||||
};
|
||||
|
||||
@@ -430,7 +430,7 @@ EOF
|
||||
# this also proves that the server is still running.
|
||||
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\
|
||||
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
|
||||
grep "ANSWER: 0" dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
@@ -445,7 +445,7 @@ EOF
|
||||
|
||||
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
|
||||
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
|
||||
grep "ANSWER: 1" dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
@@ -462,7 +462,7 @@ EOF
|
||||
_ret=1
|
||||
for i in 0 1 2 3 4 5 6 7 8 9; do
|
||||
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
|
||||
if grep "ANSWER: 2" dig.out.ns3.$n > /dev/null; then
|
||||
if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then
|
||||
_ret=0
|
||||
break
|
||||
fi
|
||||
@@ -487,7 +487,7 @@ EOF
|
||||
_ret=1
|
||||
for i in 0 1 2 3 4 5 6 7 8 9; do
|
||||
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
|
||||
if grep "ANSWER: 1" dig.out.ns3.$n > /dev/null; then
|
||||
if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then
|
||||
_ret=0
|
||||
break
|
||||
fi
|
||||
@@ -640,6 +640,58 @@ then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
|
||||
# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
|
||||
# and thus this UPDATE should succeed.
|
||||
$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
key restricted.example.nil 1234abcd8765
|
||||
update add restricted.example.nil 0 IN TXT everywhere.
|
||||
send
|
||||
END
|
||||
$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
|
||||
grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
|
||||
# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
|
||||
# thus this UPDATE should fail.
|
||||
$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
key restricted.example.nil 1234abcd8765
|
||||
update add example.nil 0 IN TXT everywhere.
|
||||
send
|
||||
END
|
||||
$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
|
||||
grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
|
||||
# grant zonesub-key.example.nil zonesub TXT;
|
||||
# the A record update should be rejected as it is not in the type list
|
||||
$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
key zonesub-key.example.nil 1234subk8765
|
||||
update add zonesub.example.nil 0 IN A 1.2.3.4
|
||||
send
|
||||
END
|
||||
$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1
|
||||
grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1
|
||||
grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
|
||||
# the TXT record update should be accepted as it is in the type list
|
||||
$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
key zonesub-key.example.nil 1234subk8765
|
||||
update add zonesub.example.nil 0 IN TXT everywhere.
|
||||
send
|
||||
END
|
||||
$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1
|
||||
grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1
|
||||
grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
|
||||
grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
|
||||
|
||||
@@ -44,6 +44,15 @@ Security Fixes
|
||||
ISC would like to thank Lyu Chiy for bringing this vulnerability to
|
||||
our attention. [GL #2037]
|
||||
|
||||
- ``update-policy`` rules of type ``subdomain`` were incorrectly treated
|
||||
as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
|
||||
to update names outside of the specified subdomains. The problem was
|
||||
fixed by making sure ``subdomain`` rules are again processed as
|
||||
described in the ARM. This was disclosed in CVE-2020-8624.
|
||||
|
||||
ISC would like to thank Joop Boonen of credativ GmbH for bringing this
|
||||
vulnerability to our attention. [GL #2055]
|
||||
|
||||
Known Issues
|
||||
~~~~~~~~~~~~
|
||||
|
||||
|
||||
Reference in New Issue
Block a user