Bug 1027689 (CVE-2013-6230)

Summary: CVE-2013-6230 bind: localnets ACL bypass caused by WinSock API bug
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jkurik, jpopelka, pfrields, psimerda, thozza, vonsch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bind 9.6-ESV-R10-P1, bind 9.8.6-P1, bind 9.9.4-P1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-07 09:54:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2013-11-07 09:52:36 UTC
ISC published a security advisory for Bind name server:

  https://kb.isc.org/article/AA-01062

  CVE-2013-6230: A Winsock API Bug Can Cause a Side-Effect Affecting BIND ACLs

  A Winsock library call on some Windows systems can return an incorrect
  value for an interface's netmask, potentially causing unexpected matches
  to BIND's built-in "localnets" Access Control List.

  On some Microsoft Windows systems, a network interface that has an "all
  ones" IPv4 subnet mask (255.255.255.255) will be incorrectly reported (by
  the Winsock WSAIoctl API) as an all zeros value (0.0.0.0). Because
  interfaces' netmasks are used to compute the broadcast domain for each
  interface during construction of the built-in "localnets" ACL, an all
  zeroes netmask can cause matches on any IPv4 address, permitting
  unexpected access to any BIND feature configured to allow access to
  "localnets".  And unless overridden by a specific value in named.conf,
  the default permissions for several BIND features (for example,
  allow-query-cache, allow-query-cache-on, allow-recursion, and others) use
  this predefined "localnets" ACL.  

  ...

  Only systems running versions of Microsoft Windows which have the flawed
  winsock call are vulnerable to this defect.  Unix servers are not
  affected.

Following Bind versions contain a fix to workaround the winSock API bug:

  BIND 9 version 9.6-ESV-R10-P1
  BIND 9 version 9.8.6-P1
  BIND 9 version 9.9.4-P1

External References:

https://kb.isc.org/article/AA-01062

Comment 1 Tomas Hoger 2013-11-07 09:54:43 UTC
Statement:

Not vulnerable. This flaw only affected BIND on Microsoft Windows platforms with a flawed WinSock call. This vulnerability does not affect BIND on Linux or Unix platforms.