FreeBSD Security Advisory FreeBSD-SA-15:05.bind

Bartek Rutkowski robak at freebsd.org
Wed Feb 25 07:36:42 UTC 2015 

On Wed, Feb 25, 2015 at 6:29 AM, FreeBSD Security Advisories
<security-advisories at freebsd.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> =============================================================================
> FreeBSD-SA-15:05.bind                                       Security Advisory
>                                                           The FreeBSD Project
>
> Topic:          BIND remote denial of service vulnerability
>
> Category:       contrib
> Module:         bind
> Announced:      2015-02-25
> Credits:        ISC
> Affects:        FreeBSD 8.x and FreeBSD 9.x.
> Corrected:      2015-02-18 22:20:19 UTC (stable/9, 9.3-STABLE)
>                 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10)
>                 2015-02-18 22:29:52 UTC (stable/8, 8.4-STABLE)
>                 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24)
> CVE Name:       CVE-2015-1349
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
>
> I.   Background
>
> BIND 9 is an implementation of the Domain Name System (DNS) protocols.
> The named(8) daemon is an Internet Domain Name Server.
>
> II.  Problem Description
>
> BIND servers which are configured to perform DNSSEC validation and which
> are using managed keys (which occurs implicitly when using
> "dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit
> unpredictable behavior due to the use of an improperly initialized
> variable.
>
> III. Impact
>
> A remote attacker can trigger a crash of a name server that is configured
> to use managed keys under specific and limited circumstances.  However,
> the complexity of the attack is very high unless the attacker has a
> specific network relationship to the BIND server which is targeted.
>
> IV.  Workaround
>
> Only systems that runs BIND, including recursive resolvers and authoritative
> servers that performs DNSSEC validation and using managed-keys are affected.
>
> This issue can be worked around by not using "auto" for the dnssec-validation
> or dnssec-lookaside options and do not configure a managed-keys statement.
> Note that in order to do DNSSEC validation with this workaround one would
> have to configure an explicit trusted-keys statement with the appropriate
> keys.
>
> V.   Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
>
> 2) To update your vulnerable system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
>

Seems like freebsd-update is throwing some error:

root at 04-dev:~ # freebsd-update install
Installing updates...install:
///usr/src/crypto/openssl/util/mkbuildinf.pl: No such file or
directory
 done.
root at 04-dev:~ # uname -a
FreeBSD 04-dev 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #0: Tue Jan 27
08:55:07 UTC 2015
root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

Anything to worry about?

Kind regards,
Bartek Rutkowski

More information about the freebsd-security mailing list