oss-sec mailing list archives
Re: Two new vulnerabilities in BIND: CVE-2015-5722 and CVE-2015-5986 are now public
From: Florian Weimer <fweimer () redhat com>
Date: Thu, 3 Sep 2015 21:02:50 +0200
On 09/02/2015 10:52 PM, ISC Security Officer wrote:
Please be advised that ISC publicly announced two critical vulnerabilities in BIND: + CVE-2015-5722 is a denial-of-service vector which can be exploited remotely against a BIND server that is performing validation on DNSSEC-signed records. All versions of BIND since 9.0.0 are vulnerable. https://kb.isc.org/article/AA-01287
Your patch had quite good obfuscation, and it took me a while to see where the actual fix was. Was this deliberate? But anyway, we can confirm it's exploitable over the network. Nice analysis, I would not have immediately seen that if I only had Hanno's reproducer. For validating recursors, it's actually quite a bit worse than CVE-2015-5477 because CVE-2015-5722 does not require a completely crafted query, just an attacker-controlled QNAME (which can be in the in-addr.arpa or ip6.arpa tree) is sufficient. So attacks could be reflected through basically anything.
+ CVE-2015-5986 is a denial-of-service vector which can be used against a BIND server that is performing recursion and (under limited conditions) an authoritative-only nameserver. Versions of BIND since 9.9.7 and 9.10.2 are vulnerable. https://kb.isc.org/article/AA-01291
This can't be reflected as easily, only through applications that use the affected record type. -- Florian Weimer / Red Hat Product Security
Current thread:
- Two new vulnerabilities in BIND: CVE-2015-5722 and CVE-2015-5986 are now public ISC Security Officer (Sep 02)
- Re: Two new vulnerabilities in BIND: CVE-2015-5722 and CVE-2015-5986 are now public Florian Weimer (Sep 03)
- Re: Two new vulnerabilities in BIND: CVE-2015-5722 and CVE-2015-5986 are now public Mark Andrews (Sep 03)
- Re: Two new vulnerabilities in BIND: CVE-2015-5722 and CVE-2015-5986 are now public Florian Weimer (Sep 03)