Vigil@nce - ISC BIND: denial of service via recursion and RPZ
July 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the ISC BIND server is recursive, and uses a RPZ with
DNAME/CNAME, an internal attacker can stop the service.
Severity: 2/4
Creation date: 05/07/2011
Revision date: 05/07/2011
IMPACTED PRODUCTS
– Fedora
– ISC BIND
– OpenSUSE
– SUSE Linux Enterprise Server
DESCRIPTION OF THE VULNERABILITY
A DNS CNAME record defines an alias on a computer name. A DNS
DNAME record defines an alias on a domain name. For example:
www1.domain.dom. IN CNAME www2.domain.dom.
domain1.dom. IN DNAME domain2.dom.
BIND version 9.8.0 supports RPZ (Response Policy Zone) which are
used by a recursive server to alter replies returned to the user.
A RPZ configuration file can contain rewrite rules using CNAME or
DNAME. For example:
*.malicious1.dom CNAME www.redirected.dom
malicious2.dom DNAME redirected.dom
However, if an attacker, who is allowed to send recursive queries,
asks a sub-domain of a DNAME domain (www.sub.malicious2.dom), an
assertion error occurs in the query_find() function.
Similarly, if an attacker, who is allowed to send recursive
queries, asks a CNAME using a wildcard (*) record, an assertion
error occurs.
When the ISC BIND server is recursive, and uses a RPZ with
DNAME/CNAME, an internal attacker can therefore stop the service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/ISC-BIND-denial-of-service-via-recursion-and-RPZ-10809