Bug 873618 (CVE-2006-0987)
Summary: | CVE-2006-0987 bind: DDoS (traffic amplification) via DNS queries with spoofed IP addresses due to additional information delegation to arbitrary IP addresses | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | atkac, pwouters, thozza |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-11-06 11:13:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2012-11-06 10:31:23 UTC
As noted in referenced DNS Amplification Attacks PDF article [5], a recursive name server should only accept queries from a local or authorized clients not to be vulnerable to the distributed denial of service (traffic amplification / Smurf) attack. In the default configuration the named service, as shipped within bind package with Red Hat Enterprise Linux 5 and 6, listens only for DNS queries from localhost. Relevant named.conf configuration file settings being: named.conf: .. allow-query { localhost; }; .. Therefore as such (in the default configuration) it is NOT vulnerable to the CVE-2006-0987 flaw. This is issue is inherited from DNS design and cannot be fixed on DNS protocol level. However there is a "rate-limiting" patch for BIND which effectively prevents amplification attacks. It is available on http://www.redbarn.org/dns/ratelimits We can consider to backport the patch. (In reply to comment #2) > This is issue is inherited from DNS design and cannot be fixed on DNS > protocol level. However there is a "rate-limiting" patch for BIND which > effectively prevents amplification attacks. It is available on > http://www.redbarn.org/dns/ratelimits > > We can consider to backport the patch. Thank you for the suggestion, Adam. The request for backport the security hardening patch for non-default bind configurations is tracked now under bug #873624. This issue did NOT affect the versions of the bind package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue did NOT affect the version of the bind97 package, as shipped with Red Hat Enterprise Linux 5. -- This issue did NOT affect the versions of the bind package, as shipped with Fedora 16 and Fedora 17. Statement: Not vulnerable. This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 5 and 6 and version of bind97 as shipped with Red Hat Enterprise Linux 5 as in the default configuration the named service accept DNS queries only from localhost. |