From: Evan Hunt <each@isc.org>
Date: Tue, 5 Jun 2018 04:59:33 +0000 (-0700)
Subject: allow-recursion could incorrectly inherit from the default allow-query
X-Git-Tag: v9.9.13rc2~9^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fae03da5cb6370fd823d03818871ef70e4049543;p=thirdparty%2Fbind9.git

allow-recursion could incorrectly inherit from the default allow-query
---

diff --git a/CHANGES b/CHANGES
index 59487847d4c..75b5a0aac9c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -18,6 +18,13 @@
 4962.	[cleanup]	Move 'named -T' processing to its own function.
 			[GL #316]
 
+4960.	[security]	When recursion is enabled, but the "allow-recursion"
+			and "allow-query-cache" ACLs are not specified,
+			they should be limited to local networks,
+			but were inadvertently set to match the default
+			"allow-query", thus allowing remote queries.
+			(CVE-2018-5738) [GL #309]
+
 4958.	[bug]		Remove redundant space from NSEC3 record. [GL #281]
 
 4955.	[cleanup]	Silence cppcheck warnings in lib/dns/master.c.
diff --git a/bin/named/server.c b/bin/named/server.c
index 5f5c39c3080..de6d726172e 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -2308,10 +2308,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		dns_acache_setcachesize(view->acache, max_acache_size);
 	}
 
-	CHECK(configure_view_acl(vconfig, config, ns_g_config,
-				 "allow-query", NULL, actx,
-				 ns_g_mctx, &view->queryacl));
-
 	/*
 	 * Make the list of response policy zone names for a view that
 	 * is used for real lookups and so cares about hints.
@@ -3120,10 +3116,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	INSIST(result == ISC_R_SUCCESS);
 	view->root_key_sentinel = cfg_obj_asboolean(obj);
 
-	CHECK(configure_view_acl(vconfig, config, ns_g_config,
-				 "allow-query-cache-on", NULL, actx,
-				 ns_g_mctx, &view->cacheonacl));
-
 	/*
 	 * Set sources where additional data and CNAME/DNAME
 	 * targets for authoritative answers may be found.
@@ -3150,22 +3142,40 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		view->additionalfromcache = ISC_TRUE;
 	}
 
+	CHECK(configure_view_acl(vconfig, config, ns_g_config,
+				 "allow-query-cache-on", NULL, actx,
+				 ns_g_mctx, &view->cacheonacl));
+
 	/*
-	 * Set "allow-query-cache", "allow-recursion", and
-	 * "allow-recursion-on" acls if configured in named.conf.
-	 * (Ignore the global defaults for now, because these ACLs
-	 * can inherit from each other when only some of them set at
-	 * the options/view level.)
+	 * Set the "allow-query", "allow-query-cache", "allow-recursion",
+	 * and "allow-recursion-on" ACLs if configured in named.conf, but
+	 * NOT from the global defaults. This is done by leaving the third
+	 * argument to configure_view_acl() NULL.
+	 *
+	 * We ignore the global defaults here because these ACLs
+	 * can inherit from each other.  If any are still unset after
+	 * applying the inheritance rules, we'll look up the defaults at
+	 * that time.
 	 */
-	CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
-				 NULL, actx, ns_g_mctx, &view->cacheacl));
+
+	/* named.conf only */
+	CHECK(configure_view_acl(vconfig, config, NULL,
+				 "allow-query", NULL, actx,
+				 ns_g_mctx, &view->queryacl));
+
+	/* named.conf only */
+	CHECK(configure_view_acl(vconfig, config, NULL,
+				 "allow-query-cache", NULL, actx,
+				 ns_g_mctx, &view->cacheacl));
 
 	if (strcmp(view->name, "_bind") != 0 &&
 	    view->rdclass != dns_rdataclass_chaos)
 	{
+		/* named.conf only */
 		CHECK(configure_view_acl(vconfig, config, NULL,
 					 "allow-recursion", NULL, actx,
 					 ns_g_mctx, &view->recursionacl));
+		/* named.conf only */
 		CHECK(configure_view_acl(vconfig, config, NULL,
 					 "allow-recursion-on", NULL, actx,
 					 ns_g_mctx, &view->recursiononacl));
@@ -3203,18 +3213,21 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		 * the global config.
 		 */
 		if (view->recursionacl == NULL) {
+			/* global default only */
 			CHECK(configure_view_acl(NULL, NULL, ns_g_config,
 						 "allow-recursion", NULL,
 						 actx, ns_g_mctx,
 						 &view->recursionacl));
 		}
 		if (view->recursiononacl == NULL) {
+			/* global default only */
 			CHECK(configure_view_acl(NULL, NULL, ns_g_config,
 						 "allow-recursion-on", NULL,
 						 actx, ns_g_mctx,
 						 &view->recursiononacl));
 		}
 		if (view->cacheacl == NULL) {
+			/* global default only */
 			CHECK(configure_view_acl(NULL, NULL, ns_g_config,
 						 "allow-query-cache", NULL,
 						 actx, ns_g_mctx,
@@ -3228,6 +3241,14 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		CHECK(dns_acl_none(mctx, &view->cacheacl));
 	}
 
+	if (view->queryacl == NULL) {
+		/* global default only */
+		CHECK(configure_view_acl(NULL, NULL, ns_g_config,
+					 "allow-query", NULL,
+					 actx, ns_g_mctx,
+					 &view->queryacl));
+	}
+
 	/*
 	 * Ignore case when compressing responses to the specified
 	 * clients. This causes case not always to be preserved,
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index aecf5c4971d..2dd7e4098b3 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -52,42 +52,11 @@
     <itemizedlist>
       <listitem>
 	<para>
-	  An error in TSIG handling could permit unauthorized zone
-	  transfers or zone updates. These flaws are disclosed in
-	  CVE-2017-3142 and CVE-2017-3143. [RT #45383]
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  The BIND installer on Windows used an unquoted service path,
-	  which can enable privilege escalation. This flaw is disclosed
-	  in CVE-2017-3141. [RT #45229]
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  With certain RPZ configurations, a response with TTL 0
-	  could cause <command>named</command> to go into an infinite
-	  query loop. This flaw is disclosed in CVE-2017-3140.
-	  [RT #45181]
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  Addresses could be referenced after being freed during resolver
-	  processing, causing an assertion failure. The chances of this
-	  happening were remote, but the introduction of a delay in
-	  resolution increased them. This bug is disclosed in
-	  CVE-2017-3145. [RT #46839]
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  update-policy rules that otherwise ignore the name field now
-	  require that it be set to "." to ensure that any type list
-	  present is properly interpreted.  If the name field was omitted
-	  from the rule declaration and a type list was present it wouldn't
-	  be interpreted as expected.
+	  When recursion is enabled but the <command>allow-recursion</command>
+	  and <command>allow-query-cache</command> ACLs are not specified, they
+	  should be limited to local networks, but they were inadvertently set
+	  to match the default <command>allow-query</command>, thus allowing
+	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
 	</para>
       </listitem>
     </itemizedlist>