Bug 838761

Summary: ndjbdns vulnerable to cve-2012-1191 (ghost domain attack)
Product: [Fedora] Fedora Reporter: Mark Johnson <johnsonm>
Component: ndjbdnsAssignee: pjp <pj.pandit>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 17CC: bressers, pj.pandit
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-01 11:47:48 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Mark Johnson 2012-07-09 23:04:39 EDT
Description of problem:  ndjbdns is vulnerable to CVE-2012-1191 (ghost domain attack)


Version-Release number of selected component (if applicable):  all


How reproducible:  https://www.isc.org/files/imce/ghostdomain_camera.pdf


Steps to Reproduce:
1.  Cause the victim resolver to resolve and cache malicious domain before it is removed from the root.
2.  Manipulate the victim resolver to continue to cache delegation data for the malicious domain after the original expiration time.
3.  Profit!
  
Actual results:  Malicious removed domain still resolvable by victim resolver.


Expected results:  Targeted resolver unable / refuses to resolve removed malicious domain.


Additional info:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1191
Comment 1 pjp 2013-01-13 13:17:46 EST
I have applied the patch to fix this issue. Please have a look at:

 -> https://github.com/pjps/ndjbdns/commit/c90dbbbac5622e2744733f39e037263e63b51266

Thank you.
Comment 2 Fedora Update System 2013-01-20 07:36:32 EST
ndjbdns-1.05.6-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/ndjbdns-1.05.6-1.fc16
Comment 3 Fedora Update System 2013-01-20 07:36:45 EST
ndjbdns-1.05.6-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/ndjbdns-1.05.6-1.fc17
Comment 4 Fedora Update System 2013-01-20 07:36:55 EST
ndjbdns-1.05.6-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/ndjbdns-1.05.6-1.fc18
Comment 5 Fedora Update System 2013-01-22 20:24:33 EST
Package ndjbdns-1.05.6-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ndjbdns-1.05.6-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-1176/ndjbdns-1.05.6-1.fc18
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2013-02-01 11:47:49 EST
ndjbdns-1.05.6-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-02-01 12:15:41 EST
ndjbdns-1.05.6-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-02-01 12:20:03 EST
ndjbdns-1.05.6-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.