From: Evan Hunt Date: Tue, 27 Jun 2017 19:28:42 +0000 (-0700) Subject: [v9_9_10_patch] address TSIG bypass/forgery vulnerabilities X-Git-Tag: v9.9.10-P2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e9eddde3ff6a7a1541835e8cc2f0c49af985ef73;p=thirdparty%2Fbind9.git [v9_9_10_patch] address TSIG bypass/forgery vulnerabilities 4643. [security] An error in TSIG handling could permit unauthorized zone transfers or zone updates. (CVE-2017-3142) (CVE-2017-3143) [RT #45383] --- diff --git a/CHANGES b/CHANGES index e7230caed53..07e13f226fa 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ + --- 9.9.10-P2 released --- + +4643. [security] An error in TSIG handling could permit unauthorized + zone transfers or zone updates. (CVE-2017-3142) + (CVE-2017-3143) [RT #45383] + 4633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET. --- 9.9.10-P1 released --- diff --git a/README b/README index 47e03d7e40c..596f436da65 100644 --- a/README +++ b/README @@ -51,6 +51,11 @@ BIND 9 For up-to-date release notes and errata, see http://www.isc.org/software/bind9/releasenotes +BIND 9.9.10-P2 + + This version contains a fix for the security flaws + disclosed in CVE-2017-3142 and CVE-2017-3143. + BIND 9.9.10-P1 This version contains a fix for the security flaws diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 98edd1b288f..946d8c45a99 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -27,7 +27,11 @@ BIND 9.9.10-P1 addresses the security issues described in CVE-2017-3140 and CVE-2017-3141. - + + BIND 9.9.10-P2 addresses the security issues described in + CVE-2017-3142 and CVE-2017-3143. It also includes an update + to the address of the B root server. + @@ -72,6 +76,13 @@
Security Fixes + + + An error in TSIG handling could permit unauthorized zone + transfers or zone updates. These flaws are disclosed in + CVE-2017-3142 and CVE-2017-3143. [RT #45383] + + The BIND installer on Windows used an unquoted service path, diff --git a/lib/dns/api b/lib/dns/api index f833991e771..d4285640528 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -7,5 +7,5 @@ # 9.10: 140-149, 170-179 # 9.11: 160-169 LIBINTERFACE = 173 -LIBREVISION = 2 +LIBREVISION = 3 LIBAGE = 0 diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index a9bcd585e47..29af9837c2c 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -976,6 +976,8 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg, mctx = msg->mctx; msg->verify_attempted = 1; + msg->verified_sig = 0; + msg->sig0status = dns_tsigerror_badsig; if (is_response(msg)) { if (msg->query.base == NULL) @@ -1070,6 +1072,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg, } msg->verified_sig = 1; + msg->sig0status = dns_rcode_noerror; dst_context_destroy(&ctx); dns_rdata_freestruct(&sig); diff --git a/lib/dns/message.c b/lib/dns/message.c index 5c7ca2067f1..5f03ec88f31 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -3052,12 +3052,19 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) { result = dns_rdata_tostruct(&rdata, &tsig, NULL); INSIST(result == ISC_R_SUCCESS); - if (msg->tsigstatus != dns_rcode_noerror) + if (msg->verified_sig && + msg->tsigstatus == dns_rcode_noerror && + tsig.error == dns_rcode_noerror) + { + result = ISC_R_SUCCESS; + } else if ((!msg->verified_sig) || + (msg->tsigstatus != dns_rcode_noerror)) + { result = DNS_R_TSIGVERIFYFAILURE; - else if (tsig.error != dns_rcode_noerror) + } else { + INSIST(tsig.error != dns_rcode_noerror); result = DNS_R_TSIGERRORSET; - else - result = ISC_R_SUCCESS; + } dns_rdata_freestruct(&tsig); if (msg->tsigkey == NULL) { diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index fea66a7cccd..4ea6259439d 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -954,9 +954,10 @@ dns_tsig_sign(dns_message_t *msg) { return (ret); /* - * If this is a response, digest the query signature. + * If this is a response and the query's signature + * validated, digest the query signature. */ - if (response) { + if (response && (tsig.error == dns_rcode_noerror)) { dns_rdata_t querytsigrdata = DNS_RDATA_INIT; ret = dns_rdataset_first(msg->querytsig); @@ -1194,6 +1195,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey)); msg->verify_attempted = 1; + msg->verified_sig = 0; + msg->tsigstatus = dns_tsigerror_badsig; if (msg->tcp_continuation) { if (tsigkey == NULL || msg->querytsig == NULL) @@ -1313,27 +1316,31 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, return (ret); if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || - alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) { + alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) + { isc_uint16_t digestbits = dst_key_getbits(key); if (tsig.siglen > siglen) { tsig_log(msg->tsigkey, 2, "signature length too big"); return (DNS_R_FORMERR); } if (tsig.siglen > 0 && - (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) { + (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) + { tsig_log(msg->tsigkey, 2, "signature length below minimum"); return (DNS_R_FORMERR); } if (tsig.siglen > 0 && digestbits != 0 && - tsig.siglen < ((digestbits + 1) / 8)) { + tsig.siglen < ((digestbits + 1) / 8)) + { msg->tsigstatus = dns_tsigerror_badtrunc; tsig_log(msg->tsigkey, 2, "truncated signature length too small"); return (DNS_R_TSIGVERIFYFAILURE); } if (tsig.siglen > 0 && digestbits == 0 && - tsig.siglen < siglen) { + tsig.siglen < siglen) + { msg->tsigstatus = dns_tsigerror_badtrunc; tsig_log(msg->tsigkey, 2, "signature length too small"); return (DNS_R_TSIGVERIFYFAILURE); @@ -1351,7 +1358,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, if (ret != ISC_R_SUCCESS) return (ret); - if (response) { + if (response && (tsig.error == dns_rcode_noerror)) { isc_buffer_init(&databuf, data, sizeof(data)); isc_buffer_putuint16(&databuf, querytsig.siglen); isc_buffer_usedregion(&databuf, &r); @@ -1456,10 +1463,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, tsig_log(msg->tsigkey, 2, "signature failed to verify(1)"); goto cleanup_context; - } else if (ret != ISC_R_SUCCESS) + } else if (ret != ISC_R_SUCCESS) { goto cleanup_context; - - dst_context_destroy(&ctx); + } } else if (tsig.error != dns_tsigerror_badsig && tsig.error != dns_tsigerror_badkey) { msg->tsigstatus = dns_tsigerror_badsig; @@ -1467,18 +1473,18 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, return (DNS_R_TSIGVERIFYFAILURE); } - msg->tsigstatus = dns_rcode_noerror; - if (tsig.error != dns_rcode_noerror) { + msg->tsigstatus = tsig.error; if (tsig.error == dns_tsigerror_badtime) - return (DNS_R_CLOCKSKEW); + ret = DNS_R_CLOCKSKEW; else - return (DNS_R_TSIGERRORSET); + ret = DNS_R_TSIGERRORSET; + goto cleanup_context; } + msg->tsigstatus = dns_rcode_noerror; msg->verified_sig = 1; - - return (ISC_R_SUCCESS); + ret = ISC_R_SUCCESS; cleanup_context: if (ctx != NULL) @@ -1510,6 +1516,9 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { REQUIRE(msg->tcp_continuation == 1); REQUIRE(msg->querytsig != NULL); + msg->verified_sig = 0; + msg->tsigstatus = dns_tsigerror_badsig; + if (!is_response(msg)) return (DNS_R_EXPECTEDRESPONSE); @@ -1548,7 +1557,8 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { * Do the key name and algorithm match that of the query? */ if (!dns_name_equal(keyname, &tsigkey->name) || - !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) { + !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) + { msg->tsigstatus = dns_tsigerror_badkey; ret = DNS_R_TSIGVERIFYFAILURE; tsig_log(msg->tsigkey, 2, @@ -1567,7 +1577,8 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { ret = DNS_R_CLOCKSKEW; goto cleanup_querystruct; } else if (now + msg->timeadjust < - tsig.timesigned - tsig.fudge) { + tsig.timesigned - tsig.fudge) + { msg->tsigstatus = dns_tsigerror_badtime; tsig_log(msg->tsigkey, 2, "signature is in the future"); @@ -1673,10 +1684,12 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { sig_r.length = tsig.siglen; if (tsig.siglen == 0) { if (tsig.error != dns_rcode_noerror) { - if (tsig.error == dns_tsigerror_badtime) + msg->tsigstatus = tsig.error; + if (tsig.error == dns_tsigerror_badtime) { ret = DNS_R_CLOCKSKEW; - else + } else { ret = DNS_R_TSIGERRORSET; + } } else { tsig_log(msg->tsigkey, 2, "signature is empty"); @@ -1692,24 +1705,32 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { "signature failed to verify(2)"); ret = DNS_R_TSIGVERIFYFAILURE; goto cleanup_context; - } - else if (ret != ISC_R_SUCCESS) + } else if (ret != ISC_R_SUCCESS) { goto cleanup_context; + } - dst_context_destroy(&msg->tsigctx); + if (tsig.error != dns_rcode_noerror) { + msg->tsigstatus = tsig.error; + if (tsig.error == dns_tsigerror_badtime) + ret = DNS_R_CLOCKSKEW; + else + ret = DNS_R_TSIGERRORSET; + goto cleanup_context; + } } msg->tsigstatus = dns_rcode_noerror; - return (ISC_R_SUCCESS); + msg->verified_sig = 1; + ret = ISC_R_SUCCESS; cleanup_context: - dst_context_destroy(&msg->tsigctx); + if (msg->tsigctx != NULL) + dst_context_destroy(&msg->tsigctx); cleanup_querystruct: dns_rdata_freestruct(&querytsig); return (ret); - } isc_result_t diff --git a/version b/version index 87fac20d2d8..cb6e54d1d65 100644 --- a/version +++ b/version @@ -7,5 +7,5 @@ MAJORVER=9 MINORVER=9 PATCHVER=10 RELEASETYPE=-P -RELEASEVER=1 +RELEASEVER=2 EXTENSIONS=