Hide Forgot
ISC BIND before releases 9.11.4-P2 and 9.12.2-P2 does not properly document the behaviour of the krb5-subdomain and ms-subdomain update policies. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. The krb5-subdomain and ms-subdomain update policy rule types permit updates from any client authenticated with a valid Kerberos or Windows machine principal from the REALM specified in the identity field, to modify records in the zone at or below the name specified in the name field. The incorrect documentation, however, indicated that the policy would be restricted to names at or below the machine's name as encoded in the Windows or Kebreros principal. External Reference: https://kb.isc.org/docs/cve-2018-5741
Created bind tracking bugs for this issue: Affects: fedora-all [bug 1631132] Created bind99 tracking bugs for this issue: Affects: fedora-all [bug 1631133]
More details about what was reported upstream can be found in the following Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908595 There, reporter explains that the behavior of the krb5-subdomain and ms-subdomain update policies did not work as documented, and why they believed the problem to be in implementation rather than documentation. It's noted that what upstream considers to be the intended behavior of krb5-subdomain can already be implemented via subdomain, and that the principal processing done for krb5-subdomain suggests different intention, as that processing is not needed to implement the behavior upstream considers as intended. The upstream advisory: https://kb.isc.org/docs/cve-2018-5741 provides information why upstream believes the problem to only be a documentation bug, including the concerns regarding changing behavior in stable releases. Their decision was to not change behavior, update documentation to match the behavior, and add new policies krb5-selfsub and ms-selfsub implementing the previously documented behavior. Upstream notes that the affected update policies were implemented some time before they got documented in the BIND 9 Administrator Reference Manual (BIND 9 ARM). The documentation was added as part of upstream change 3112: https://gitlab.isc.org/isc-projects/bind9/commit/0268e42b4e5b83e1e5806caddd3b38e14735d739 According to the upstream CHANGES file, this change was first included in versions 9.7.4rc1, 9.8.1b1, and 9.9.0a1. Documentation update changing the description of the policy behavior was applied upstream as change 5022: https://gitlab.isc.org/isc-projects/bind9/commit/0370d136673052dbe18e830182e73278bbba9c21 https://gitlab.isc.org/isc-projects/bind9/commit/a3c5c2c29c46cba6d077364af86984fd5d1ebedd https://gitlab.isc.org/isc-projects/bind9/merge_requests/708 These changes were included in upstream versions 9.11.4-P2, 9.12.2-P2, and 9.13.3. This is how the documentation was changed: https://ftp.isc.org/isc/bind9/9.13.2/doc/arm/Bv9ARM.ch05.html#dynamic_update_policies ms-subdomain This rule takes a Windows machine principal (machine$@REALM) for machine in REALM and converts it to machine.realm allowing the machine to update subdomains of machine.realm. The REALM to be matched is specified in the identity field. krb5-subdomain This rule takes a Kerberos machine principal (host/machine@REALM) for machine in REALM and converts it to machine.realm allowing the machine to update subdomains of machine.realm. The REALM to be matched is specified in the identity field. The name field should be set to "." https://ftp.isc.org/isc/bind9/9.13.3/doc/arm/Bv9ARM.ch05.html#dynamic_update_policies ms-subdomain When a client sends an UPDATE using a Windows machine principal (for example, 'machine$@REALM'), this rule allows any machine in the specified realm to update any record in the zone or in a specified subdomain of the zone. The realm to be matched is specified in the identity field. The name field specifies the subdomain that may be updated. If set to "." (or any other name at or above the zone apex), any name in the zone can be updated. For example, if update-policy for the zone "example.com" includes grant EXAMPLE.COM ms-subdomain hosts.example.com. A AAAA, any machine with a valid principal in the realm EXAMPLE.COM will be able to update address records at or below "hosts.example.com". krb5-subdomain This rule is identical to ms-subdomain, except that it works with Kerberos machine principals (i.e., 'host/machine@REALM') rather than Windows machine principals. Upstream notes that the new policies krb5-selfsub and ms-selfsub are expected to to included in future versions 9.11.5 and 9.12.3. Relevant upstream change id is 5032 and the upstream issue and merge requests are: https://gitlab.isc.org/isc-projects/bind9/issues/511 https://gitlab.isc.org/isc-projects/bind9/merge_requests/732/diffs
The affected functionality is available in bind packages in Red Hat Enterprise Linux 5 and later (in case of the bind package in Red Hat Enterprise Linux 5, it's only usable as of Red Hat Enterprise Linux 5.3, see bug 457932). However, the problematic documentation is only included in bind packages in Red Hat Enterprise Linux 6 and 7, there's no documentation for the functionality in bind and bind97 packages in Red Hat Enterprise Linux 5.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2057 https://access.redhat.com/errata/RHSA-2019:2057
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-5741