Bug 248850 - (CVE-2007-2925) CVE-2007-2925 bind allow-query-cache/allow-recursion default ACL issue
CVE-2007-2925 bind allow-query-cache/allow-recursion default ACL issue
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=bind,reported=...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-19 04:07 EDT by Mark J. Cox (Product Security)
Modified: 2008-06-05 10:35 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-05 10:35:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2007-07-19 04:07:50 EDT
Internet Systems Consortium Security Advisory.

                BIND 9: allow-query-cache/allow-recursion
                default acls not set.

                            17 July 2007

Versions affected:

    BIND 9.4.0, 9.4.1
    BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5

Severity: Medium.

Description:

    The default access control lists (acls) are not being correctly
    set.  If not set anyone can make recursive queries and/or query
    the cache contents.

Workaround:

    Explicitly set allow-query-cache and allow-recursion acl's
    if not already set to "{ localnets; localhost; };".

    If recursion is supposed to be allowed to local clients (default).

        options {
            recursion yes;  // default
            allow-recursion { localnets; localhost; };
            allow-query-cache { localnets; localhost; };
            ...
        };

    If recursion is disallowed.

        options {
            recursion no;
            allow-query-cache { localnets; localhost; };
            ...
        };

Fix:

    Upgrade to BIND BIND 9.4.1-P1, BIND 9.4.2 or BIND 9.5.0a6.

    Questions should be addressed to bind9-bugs@isc.org.

CVE:    CVE-2007-2925   (CERT-US VU#187297)

** embargo set to 23 July 2007 **
Comment 1 Adam Tkac 2007-07-19 05:18:11 EDT
I've found some additional problem around this

2206.   [security]      "allow-query-cache" and "allow-recursion" now
                        cross inherit from each other.

                        If allow-query-cache is not set in named.conf then
                        allow-recursion is used if set, otherwise allow-query
                        is used if set, otherwise the default (localnets;
                        localhost;) is used.

                        If allow-recursion is not set in named.conf then
                        allow-query-cache is used if set, otherwise allow-query
                        is used if set, otherwise the default (localnets;
                        localhost;) is used.

Only F7 and rawhide are affected. allow-query-cache option doesn't exist in
RHELs and <= Fedora 6 (problem with relation between allow-recursion and
allow-query-cache doesn't exist).

Second problem is in default allow-recursion acl setup. In >= 9.4 are default
acls { localhost; localnet; }; and these wasn't set correctly. In bind < 9.4 are
default acls { any; }; (when any is specified it means NULL pointer in BIND's
code - no setup is needed)

Adam
Comment 2 Tomas Hoger 2007-09-07 03:59:43 EDT
Issue is public now, opening bug.
Comment 3 Tomas Hoger 2008-06-05 10:35:44 EDT
This issue did not affect the versions of bind as shipped with Red Hat
Enterprise Linux 2.1, 3, 4, or 5.

Fedora bind versions already updated to fixed upstream version.

Note You need to log in before you can comment on or make changes to this bug.