A Winsock library call on some Windows systems can return an incorrect value for an interface's netmask, potentially causing unexpected matches to BIND's built-in "localnets" Access Control List.
Posting date: 06 November 2013
Windows versions 9.6-ESV->9.6-ESV-R10, 9.8.0->9.8.6,
Subscription: 9.9.3-S1 and 9.9.4-S1. ONLY Windows servers are affected.
High, for Windows systems with a specific netmask value set.
On some Microsoft Windows systems, a network interface that has an "all ones" IPv4 subnet mask
(255.255.255.255) will be incorrectly reported (by the Winsock WSAIoctl API) as an all zeros value (0.0.0.0). Because interfaces' netmasks are used to compute the broadcast domain for each interface during construction of the built-in "localnets" ACL, an all zeroes netmask can cause matches on any IPv4 address, permitting unexpected access to any BIND feature configured to allow access to "localnets". And unless overridden by a specific value in named.conf, the default permissions for several BIND features (for example, allow-query-cache, allow-query-cache-on, allow-recursion, and others) use this predefined "localnets" ACL.
In addition, non-default access controls and other directives using an address match list with the predefined "localnets" ACL may not match as expected. This may include rndc "controls", "allow-notify", "allow-query", "allow-transfer", "allow-update", "blackhole", "filter-aaaa", "deny-answer-addresses", "exempt-clients", and other directives if an administrator has specified the "localnets" ACL in their match lists.
A support ticket has been filed with Microsoft for this winsock bug but Windows server administrators should use the workaround or upgrade to patched versions of BIND which override the incorrect value supplied by the flawed winsock call.
Only systems running versions of Microsoft Windows which have the flawed winsock call are vulnerable to this defect. Unix servers are not affected.
Under this defect, access controls and other directives which use "localnets" as part of the address match list may match much more broadly than was intended by the server administrator. Please note that in addition to configuration statements where the "localnets" acl is used explicitly, "localnets" may also be used in the default behavior for some features (such as "allow-recursion") unless specifically overridden in the configuration file. Allowing recursion to all reachable IPv4 addresses entails a number of risks, including increased exposure to cache poisoning and the possibility of being used in a reflection attack.
It is possible that in a small number of environments that correcting this defect may result in denial of service to desired clients that were previously permitted (erroneously) because of over-broad interpretation of "localnets". When upgrading to a patched version, administrators are advised to double-check their configuration file to confirm that all features which are controlled by access control lists are permitted appropriately.
CVSS Score: 6.8
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=.
On Windows, make sure you are not using a 255.255.255.255 netmask; or, if you have to use the 255.255.255.255 netmask, make sure you are not allowing default ACLs that contain "localnets".
For other scenarios on Windows, we recommend that administrators do not use the "localnets" ACL without using the patched version.
No known active exploits but a public discussion of the issue has taken place on a public mailing list and in a blog article.
Solution: Upgrade to the patched release most closely related to your current version of BIND. Open source versions can all be downloaded from http://www.isc.org/downloads. Subscription version customers will be contacted directly by ISC Support regarding delivery.
- BIND 9 version 9.6-ESV-R10-P1
- BIND 9 version 9.8.6-P1
- BIND 9 version 9.9.4-P1
Please Note: Older versions of BIND that are beyond their "end of life" (EOL) no longer receive testing or security fixes from ISC. For current
information on which versions are actively supported, please see http://www.isc.org/downloads/software-support-policy/bind-software-status/.
Acknowledgements: ISC would like to thank the Parallels Plesk Service Team for reporting the open DNS recursion issue.
Document Revision History:
1.0 Advance Notification, 30 October 2013
1.1 Phase 2&3 Notification, 05 November 2013
2.0 Public Disclosure, 06 November 2013
See our BIND Security Matrix for a complete listing of Security Vulnerabilities and versions affected.
This Knowledge Base article https://kb.isc.org/article/AA-01063 provides additional information and Frequently Asked Questions about this advisory.
If you'd like more information on our ISC Member program please visit https://www.isc.org/members/, or product support please visit http://www.dns-co.com/solutions/.
Do you still have questions? Questions regarding this advisory should go to email@example.com. To report a new issue, please encrypt your message using firstname.lastname@example.org's PGP key which can be found here: https://www.isc.org/downloads/software-support-policy/openpgp-key/. If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/mission/contact/.
ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: ISC Software Defect and Security Vulnerability Disclosure Policy
This Knowledge Base article https://kb.isc.org/article/AA-01062 is the complete and official security advisory document.
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.
© 2001-2016 Internet Systems ConsortiumPlease help us to improve the content of our knowledge base by letting us know below how we can improve this article. If you have a technical question or problem on which you'd like help, please don't submit it here as article feedback. For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.