CVE-2013-6230: A Winsock API Bug Can Cause a Side-Effect Affecting BIND ACLs
A Winsock library call on some Windows systems can return an incorrect value for an interface's netmask, potentially causing unexpected matches to BIND's built-in "localnets" Access Control List.
Document version: 2.0
Posting date: 06 November 2013
Program impacted: BIND
Versions affected: Windows versions 9.6-ESV->9.6-ESV-R10, 9.8.0->9.8.6, 9.9.0->9.9.4; Subscription: 9.9.3-S1 and 9.9.4-S1. ONLY Windows servers are affected.
Severity: High, for Windows systems with a specific netmask value set.
On some Microsoft Windows systems, a network interface that has an "all ones" IPv4 subnet mask
(255.255.255.255) will be incorrectly reported (by the Winsock WSAIoctl API) as an all zeroes value (0.0.0.0). Because interfaces' netmasks are used to compute the broadcast domain for each interface during construction of the built-in "localnets" ACL, an all zeroes netmask can cause matches on any IPv4 address, permitting unexpected access to any BIND feature configured to allow access to "localnets". And unless overridden by a specific value in
named.conf, the default permissions for several BIND features (for example, allow-query-cache, allow-query-cache-on, allow-recursion, and others) use this predefined "localnets" ACL.
In addition, non-default access controls and other directives using an address match list with the predefined "localnets" ACL may not match as expected. This may include rndc "controls", "allow-notify", "allow-query", "allow-transfer", "allow-update", "blackhole", "filter-aaaa", "deny-answer-addresses", "exempt-clients", and other directives if an administrator has specified the "localnets" ACL in their match lists.
A support ticket has been filed with Microsoft for this winsock bug, but Windows server administrators should use the workaround or upgrade to patched versions of BIND which override the incorrect value supplied by the flawed winsock call.
Only systems running versions of Microsoft Windows which have the flawed winsock call are vulnerable to this defect. Unix servers are not affected.
Under this defect, access controls and other directives which use "localnets" as part of the address match list may match much more broadly than was intended by the server administrator. Please note that in addition to configuration statements where the "localnets" acl is used explicitly, "localnets" may also be used in the default behavior for some features (such as "allow-recursion") unless specifically overridden in the configuration file. Allowing recursion to all reachable IPv4 addresses entails a number of risks, including increased exposure to cache poisoning and the possibility of being used in a reflection attack.
It is possible, in a small number of environments, that correcting this defect may result in denial of service to desired clients that were previously permitted (erroneously) because of over-broad interpretation of "localnets". When upgrading to a patched version, administrators are advised to double-check their configuration file to confirm that all features which are controlled by access control lists are permitted appropriately.
CVSS Score: 6.8
CVSS Equation: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=%28AV:N/AC:L/Au:N/C:P/I:N/A:C%29.
On Windows, make sure you are not using a 255.255.255.255 netmask; or, if you have to use the 255.255.255.255 netmask, make sure you are not allowing default ACLs that contain "localnets".
For other scenarios on Windows, we recommend that administrators do not use the "localnets" ACL without using the patched version.
No known active exploits, but a discussion of the issue has taken place on a public mailing list and in a blog article.
Solution: Upgrade to the patched release most closely related to your current version of BIND. Open source versions can all be downloaded from https://www.isc.org/downloads/bind. Subscription version customers will be contacted directly by ISC Support regarding delivery.
- BIND 9 version 9.6-ESV-R10-P1
- BIND 9 version 9.8.6-P1
- BIND 9 version 9.9.4-P1
Acknowledgements: ISC would like to thank the Parallels Plesk Service Team for reporting the open DNS recursion issue.
Document Revision History:
1.0 Advance Notification, 30 October 2013
1.1 Phase 2&3 Notification, 05 November 2013
2.0 Public Disclosure, 06 November 2013
If you'd like more information on ISC Subscription Support and Advance Security Notifications, please visit https://www.isc.org/support/.
See our BIND 9 Security Vulnerability Matrix for a complete listing of security vulnerabilities and versions affected.
Do you still have questions? Questions regarding this advisory should go to [email protected]. To report a new issue, please encrypt your message using [email protected]'s PGP key which can be found here: https://www.isc.org/downloads/software-support-policy/openpgp-key/. If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/community/report-bug/.
Note: ISC patches only currently supported versions. When possible, we indicate EOL versions affected. (For current information on which versions are actively supported, please see https://www.isc.org/downloads/.)
ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy.
This Knowledgebase article is the complete and official security advisory document.
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.