Bug 841268 (CVE-2012-2978)

Summary: CVE-2012-2978: nsd: NSD denial of service vulnerability from non-standard DNS packet from any host on the internet.
Product: [Other] Security Response Reporter: Paul Wouters <pwouters>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jrusnack, kseifried, pwouters, security-response-team, tis, willem
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: impact=moderate,public=20120719,reported=20120718,source=redhat,cvss2=5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P,fedora-all/nsd=affected,epel-all/nsd=affected
Fixed In Version: nsd 3.2.12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-20 04:23:40 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Paul Wouters 2012-07-18 10:18:54 EDT
Description of problem:

(Embargoed until July 19 after 15:00 CET)

It is possible to crash (SIGSEGV) a NSD child server process by sending
it a non-standard DNS packet from any host on the internet. A crashed
child process will automatically be restarted by the parent process, but
an attacker may keep the NSD server occupied restarting child processes
by sending it a stream of such packets effectively preventing the NSD
server to serve.

All NSD 3 versions are vulnerable to this attack. (NSD 3.0.0-3.0.8,
3.1.0-3.1.1, and 3.2.0-3.2.11). So is the NSD 4 development branch.

== Remote Exploit.

The problem packet causes NSD to dereference a null pointer. Most
operating systems map the null pointer's address such that accessing it
causes a segmentation fault, ruling out the possibility for remote exploit.



Version-Release number of selected component (if applicable):
all version up to and including nsd-3.2.11



I'll prepare the 3.2.12 release
Comment 1 Vincent Danen 2012-07-18 19:28:25 EDT
Thanks for this, Paul.  I'm going to hijack this bug to turn it into an SRT bug so we can properly track it.
Comment 2 Paul Wouters 2012-07-19 09:43:22 EDT
 Fix for VU#624931 CVE-2012-2978: NSD denial of service
  vulnerability from non-standard DNS packet from any host
  on the internet.
  http://www.nlnetlabs.nl/downloads/CVE-2012-2978.txt
Comment 3 Paul Wouters 2012-07-19 10:24:06 EDT
Package nsd-3.2.12-1:
* was pushed to the testing repositories,
* should be available at your local mirror within two days.

Update it with (EPEL):
# su -c 'yum update --enablerepo=epel-testing nsd-3.2.12-1'
Update it with (Fedora):
# su -c 'yum update --enablerepo=updates-testing nsd-3.2.12-1'

Or use the direct links below to download the package if it is not yet available via the mirror sites. Please leave karma/feedback.

nsd-3.2.12-1.el5 has been submitted as an update for EL5.
https://admin.fedoraproject.org/updates/nsd-3.2.12-1.el5

nsd-3.2.12-1.el6 has been submitted as an update for EL6.
https://admin.fedoraproject.org/updates/nsd-3.2.12-1.el6
Comment 4 Paul Wouters 2012-07-19 10:52:45 EDT
nsd-3.2.12-1.fc16 has been submitted as an update for Fedora.
https://admin.fedoraproject.org/updates/nsd-3.2.12-1.fc16

nsd-3.2.12-1.fc17 has been submitted as an update for Fedora.
https://admin.fedoraproject.org/updates/nsd-3.2.12-1.fc17
Comment 5 Paul Wouters 2013-04-18 16:30:22 EDT
Vincent: can we close this bug?