Bug 1631131 (CVE-2018-5741)

Summary: CVE-2018-5741 bind: Incorrect documentation of krb5-subdomain and ms-subdomain update policies
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, bmcclain, dblechte, dfediuck, eedri, jpopelka, mgoldboi, michal.skrivanek, mruprich, msehnout, pemensik, pzhukov, sbeal, sbonazzo, security-response-team, sherold, thozza, vonsch, yozone, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bind 9.11.4-P2, bind 9.12.2-P2, bind 9.13.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 19:19:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1631132, 1631133, 1631134, 1631371    
Bug Blocks: 1628421    

Description Sam Fowler 2018-09-20 03:45:50 UTC 
ISC BIND before releases 9.11.4-P2 and 9.12.2-P2 does not properly document the behaviour of the krb5-subdomain and ms-subdomain update policies. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were.

The krb5-subdomain and ms-subdomain update policy rule types permit updates from any client authenticated with a valid Kerberos or Windows machine principal from the REALM specified in the identity field, to modify records in the zone at or below the name specified in the name field. The incorrect documentation, however, indicated that the policy would be restricted to names at or below the machine's name as encoded in the Windows or Kebreros principal.


External Reference:

https://kb.isc.org/docs/cve-2018-5741
Comment 1 Sam Fowler 2018-09-20 03:46:38 UTC 
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1631132]


Created bind99 tracking bugs for this issue:

Affects: fedora-all [bug 1631133]
Comment 3 Tomas Hoger 2018-09-20 12:24:04 UTC 
More details about what was reported upstream can be found in the following Debian bug report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908595

There, reporter explains that the behavior of the krb5-subdomain and ms-subdomain update policies did not work as documented, and why they believed the problem to be in implementation rather than documentation.  It's noted that what upstream considers to be the intended behavior of krb5-subdomain can already be implemented via subdomain, and that the principal processing done for krb5-subdomain suggests different intention, as that processing is not needed to implement the behavior upstream considers as intended.


The upstream advisory:

https://kb.isc.org/docs/cve-2018-5741

provides information why upstream believes the problem to only be a documentation bug, including the concerns regarding changing behavior in stable releases.  Their decision was to not change behavior, update documentation to match the behavior, and add new policies krb5-selfsub and ms-selfsub implementing the previously documented behavior.

Upstream notes that the affected update policies were implemented some time before they got documented in the BIND 9 Administrator Reference Manual (BIND 9 ARM).  The documentation was added as part of upstream change 3112:

https://gitlab.isc.org/isc-projects/bind9/commit/0268e42b4e5b83e1e5806caddd3b38e14735d739

According to the upstream CHANGES file, this change was first included in versions 9.7.4rc1, 9.8.1b1, and 9.9.0a1.


Documentation update changing the description of the policy behavior was applied upstream as change 5022:

https://gitlab.isc.org/isc-projects/bind9/commit/0370d136673052dbe18e830182e73278bbba9c21
https://gitlab.isc.org/isc-projects/bind9/commit/a3c5c2c29c46cba6d077364af86984fd5d1ebedd
https://gitlab.isc.org/isc-projects/bind9/merge_requests/708

These changes were included in upstream versions 9.11.4-P2, 9.12.2-P2, and 9.13.3.

This is how the documentation was changed:

https://ftp.isc.org/isc/bind9/9.13.2/doc/arm/Bv9ARM.ch05.html#dynamic_update_policies

  ms-subdomain

  This rule takes a Windows machine principal (machine$@REALM) for machine
  in REALM and converts it to machine.realm allowing the machine to update
  subdomains of machine.realm. The REALM to be matched is specified in the
  identity field.


  krb5-subdomain

  This rule takes a Kerberos machine principal (host/machine@REALM) for
  machine in REALM and converts it to machine.realm allowing the machine to
  update subdomains of machine.realm. The REALM to be matched is specified
  in the identity field. The name field should be set to "." 

https://ftp.isc.org/isc/bind9/9.13.3/doc/arm/Bv9ARM.ch05.html#dynamic_update_policies

  ms-subdomain
	
  When a client sends an UPDATE using a Windows machine principal (for
  example, 'machine$@REALM'), this rule allows any machine in the
  specified realm to update any record in the zone or in a specified
  subdomain of the zone.

  The realm to be matched is specified in the identity field.

  The name field specifies the subdomain that may be updated. If set to
  "." (or any other name at or above the zone apex), any name in the zone
  can be updated.

  For example, if update-policy for the zone "example.com" includes grant
  EXAMPLE.COM ms-subdomain hosts.example.com. A AAAA, any machine with a
  valid principal in the realm EXAMPLE.COM will be able to update address
  records at or below "hosts.example.com". 


  krb5-subdomain

  This rule is identical to ms-subdomain, except that it works with
  Kerberos machine principals (i.e., 'host/machine@REALM') rather than
  Windows machine principals.


Upstream notes that the new policies krb5-selfsub and ms-selfsub are expected to to included in future versions 9.11.5 and 9.12.3.  Relevant upstream change id is 5032 and the upstream issue and merge requests are:

https://gitlab.isc.org/isc-projects/bind9/issues/511
https://gitlab.isc.org/isc-projects/bind9/merge_requests/732/diffs
Comment 4 Tomas Hoger 2018-09-20 12:33:11 UTC 
The affected functionality is available in bind packages in Red Hat Enterprise Linux 5 and later (in case of the bind package in Red Hat Enterprise Linux 5, it's only usable as of Red Hat Enterprise Linux 5.3, see bug 457932).  However, the problematic documentation is only included in bind packages in Red Hat Enterprise Linux 6 and 7, there's no documentation for the functionality in bind and bind97 packages in Red Hat Enterprise Linux 5.
Comment 10 errata-xmlrpc 2019-08-06 12:09:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2057 https://access.redhat.com/errata/RHSA-2019:2057
Comment 11 Product Security DevOps Team 2019-08-06 19:19:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-5741