Bug 788650 (CVE-2012-1033)

Summary: CVE-2012-1033 bind: deleted domain name resolving flaw
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: atkac, jlieskov, mfuruta, moshiro, oe, yohmura, zzhou
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-07 17:24:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 799978, 816615, 828288, 828289, 828297, 828668    
Bug Blocks: 788655, 827605    

Description Vincent Danen 2012-02-08 17:38:19 UTC 
A vulnerability was found that affects the large majority of popular DNS implementations which allow a malicious domain name to stay resolvable long after it has been removed from the upper level servers, including ISC BIND.  According to Tsinghua University researchers, it exploits a flaw in DNS cache update policy, which prevents effective domain name revocation.

There is currently no known exploit, and no fix has been produced by ISC as of yet.

External References:

https://www.isc.org/software/bind/advisories/cve-2012-1033
Comment 1 Vincent Danen 2012-02-09 04:11:47 UTC 
ISC has updated their CVE page to note that they do not intend to fix this as it is an issue at the DNS protocol level, and not in the implementation.  They do intend to do further analysis and research, and suggest using DNSSEC to mitigate this if users deem it necessary, stating that "unsecured DNS is not designed to be relied on for security".
Comment 5 Oden Eriksson 2012-02-27 09:54:25 UTC 
Of course they want to push DNSSEC instead of "fixing it". At least in sweden DNSSEC costs a lot of money, only huge businesses and the government can afford it I guess. This is why I disabled this (now default) behaviour in Mandriva, and due to huge latency. Well...
Comment 17 Tomas Hoger 2012-05-22 12:52:44 UTC 
(In reply to comment #0)
> https://www.isc.org/software/bind/advisories/cve-2012-1033

(In reply to comment #1)
> ISC has updated their CVE page to note that they do not intend to fix this
> as it is an issue at the DNS protocol level, and not in the implementation. 
> They do intend to do further analysis and research, and suggest using DNSSEC
> to mitigate this if users deem it necessary, stating that "unsecured DNS is
> not designed to be relied on for security".

Even though ISC security advisory has not been updated, a fix addressing this as been included in newer bind releases:

3282.	[bug]		Restrict the TTL of NS RRset to no more than that
			of the old NS RRset when replacing it.
			[RT #27792] [RT #27884]

That change is available in bind versions 9.9.0, 9.8.2, 9.7.5, and 9.6-ESV-R6.
Comment 20 Tomas Hoger 2012-05-30 07:09:27 UTC 
(In reply to comment #17)
> Even though ISC security advisory has not been updated, a fix addressing
> this as been included in newer bind releases:
> 
> 3282.	[bug]		Restrict the TTL of NS RRset to no more than that
> 			of the old NS RRset when replacing it.
> 			[RT #27792] [RT #27884]
> 
> That change is available in bind versions 9.9.0, 9.8.2, 9.7.5, and
> 9.6-ESV-R6.

Revision 2.1 from May 29, 2012 is updated with the above information:
  http://www.isc.org/software/bind/advisories/cve-2012-1033
Comment 24 errata-xmlrpc 2012-06-07 16:43:55 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0717 https://rhn.redhat.com/errata/RHSA-2012-0717.html
Comment 25 errata-xmlrpc 2012-06-07 16:55:49 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0716 https://rhn.redhat.com/errata/RHSA-2012-0716.html