From: Evan Hunt Date: Tue, 5 Jun 2018 04:57:49 +0000 (-0700) Subject: allow-recursion could incorrectly inherit from the default allow-query X-Git-Tag: v9.10.8rc2~11^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97600626c711585e7bb26cbc67711d072e87a62a;p=thirdparty%2Fbind9.git allow-recursion could incorrectly inherit from the default allow-query --- diff --git a/CHANGES b/CHANGES index 5aa238b8b9a..12a0da205d5 100644 --- a/CHANGES +++ b/CHANGES @@ -18,6 +18,13 @@ 4962. [cleanup] Move 'named -T' processing to its own function. [GL #316] +4960. [security] When recursion is enabled, but the "allow-recursion" + and "allow-query-cache" ACLs are not specified, + they should be limited to local networks, + but were inadvertently set to match the default + "allow-query", thus allowing remote queries. + (CVE-2018-5738) [GL #309] + 4958. [bug] Remove redundant space from NSEC3 record. [GL #281] 4955. [cleanup] Silence cppcheck warnings in lib/dns/master.c. diff --git a/bin/named/server.c b/bin/named/server.c index f69cba98dc2..1ae6f9a2382 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -2567,10 +2567,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, dns_acache_setcachesize(view->acache, max_acache_size); } - CHECK(configure_view_acl(vconfig, config, ns_g_config, - "allow-query", NULL, actx, - ns_g_mctx, &view->queryacl)); - /* * Make the list of response policy zone names for a view that * is used for real lookups and so cares about hints. @@ -3406,9 +3402,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, INSIST(result == ISC_R_SUCCESS); view->root_key_sentinel = cfg_obj_asboolean(obj); - CHECK(configure_view_acl(vconfig, config, ns_g_config, - "allow-query-cache-on", NULL, actx, - ns_g_mctx, &view->cacheonacl)); /* * Set sources where additional data and CNAME/DNAME * targets for authoritative answers may be found. @@ -3435,22 +3428,40 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, view->additionalfromcache = ISC_TRUE; } + CHECK(configure_view_acl(vconfig, config, ns_g_config, + "allow-query-cache-on", NULL, actx, + ns_g_mctx, &view->cacheonacl)); + /* - * Set "allow-query-cache", "allow-recursion", and - * "allow-recursion-on" acls if configured in named.conf. - * (Ignore the global defaults for now, because these ACLs - * can inherit from each other when only some of them set at - * the options/view level.) + * Set the "allow-query", "allow-query-cache", "allow-recursion", + * and "allow-recursion-on" ACLs if configured in named.conf, but + * NOT from the global defaults. This is done by leaving the third + * argument to configure_view_acl() NULL. + * + * We ignore the global defaults here because these ACLs + * can inherit from each other. If any are still unset after + * applying the inheritance rules, we'll look up the defaults at + * that time. */ - CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache", - NULL, actx, ns_g_mctx, &view->cacheacl)); + + /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-query", NULL, actx, + ns_g_mctx, &view->queryacl)); + + /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-query-cache", NULL, actx, + ns_g_mctx, &view->cacheacl)); if (strcmp(view->name, "_bind") != 0 && view->rdclass != dns_rdataclass_chaos) { + /* named.conf only */ CHECK(configure_view_acl(vconfig, config, NULL, "allow-recursion", NULL, actx, ns_g_mctx, &view->recursionacl)); + /* named.conf only */ CHECK(configure_view_acl(vconfig, config, NULL, "allow-recursion-on", NULL, actx, ns_g_mctx, &view->recursiononacl)); @@ -3488,18 +3499,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, * the global config. */ if (view->recursionacl == NULL) { + /* global default only */ CHECK(configure_view_acl(NULL, NULL, ns_g_config, "allow-recursion", NULL, actx, ns_g_mctx, &view->recursionacl)); } if (view->recursiononacl == NULL) { + /* global default only */ CHECK(configure_view_acl(NULL, NULL, ns_g_config, "allow-recursion-on", NULL, actx, ns_g_mctx, &view->recursiononacl)); } if (view->cacheacl == NULL) { + /* global default only */ CHECK(configure_view_acl(NULL, NULL, ns_g_config, "allow-query-cache", NULL, actx, ns_g_mctx, @@ -3513,6 +3527,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, CHECK(dns_acl_none(mctx, &view->cacheacl)); } + if (view->queryacl == NULL) { + /* global default only */ + CHECK(configure_view_acl(NULL, NULL, ns_g_config, + "allow-query", NULL, + actx, ns_g_mctx, + &view->queryacl)); + } + /* * Ignore case when compressing responses to the specified * clients. This causes case not always to be preserved, diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 905c5042744..5b3d30d5c7c 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -50,42 +50,11 @@ - An error in TSIG handling could permit unauthorized zone - transfers or zone updates. These flaws are disclosed in - CVE-2017-3142 and CVE-2017-3143. [RT #45383] - - - - - The BIND installer on Windows used an unquoted service path, - which can enable privilege escalation. This flaw is disclosed - in CVE-2017-3141. [RT #45229] - - - - - With certain RPZ configurations, a response with TTL 0 - could cause named to go into an infinite - query loop. This flaw is disclosed in CVE-2017-3140. - [RT #45181] - - - - - Addresses could be referenced after being freed during resolver - processing, causing an assertion failure. The chances of this - happening were remote, but the introduction of a delay in - resolution increased them. This bug is disclosed in - CVE-2017-3145. [RT #46839] - - - - - update-policy rules that otherwise ignore the name field now - require that it be set to "." to ensure that any type list - present is properly interpreted. If the name field was omitted - from the rule declaration and a type list was present it wouldn't - be interpreted as expected. + When recursion is enabled but the allow-recursion + and allow-query-cache ACLs are not specified, they + should be limited to local networks, but they were inadvertently set + to match the default allow-query, thus allowing + remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]