This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 788650 - (CVE-2012-1033) CVE-2012-1033 bind: deleted domain name resolving flaw
CVE-2012-1033 bind: deleted domain name resolving flaw
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120207,reported=2...
: Security
Depends On: 799978 816615 828288 828289 828297 828668
Blocks: 788655 827605
  Show dependency treegraph
 
Reported: 2012-02-08 12:38 EST by Vincent Danen
Modified: 2012-06-21 03:17 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-07 13:24:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-02-08 12:38:19 EST
A vulnerability was found that affects the large majority of popular DNS implementations which allow a malicious domain name to stay resolvable long after it has been removed from the upper level servers, including ISC BIND.  According to Tsinghua University researchers, it exploits a flaw in DNS cache update policy, which prevents effective domain name revocation.

There is currently no known exploit, and no fix has been produced by ISC as of yet.

External References:

https://www.isc.org/software/bind/advisories/cve-2012-1033
Comment 1 Vincent Danen 2012-02-08 23:11:47 EST
ISC has updated their CVE page to note that they do not intend to fix this as it is an issue at the DNS protocol level, and not in the implementation.  They do intend to do further analysis and research, and suggest using DNSSEC to mitigate this if users deem it necessary, stating that "unsecured DNS is not designed to be relied on for security".
Comment 5 Oden Eriksson 2012-02-27 04:54:25 EST
Of course they want to push DNSSEC instead of "fixing it". At least in sweden DNSSEC costs a lot of money, only huge businesses and the government can afford it I guess. This is why I disabled this (now default) behaviour in Mandriva, and due to huge latency. Well...
Comment 17 Tomas Hoger 2012-05-22 08:52:44 EDT
(In reply to comment #0)
> https://www.isc.org/software/bind/advisories/cve-2012-1033

(In reply to comment #1)
> ISC has updated their CVE page to note that they do not intend to fix this
> as it is an issue at the DNS protocol level, and not in the implementation. 
> They do intend to do further analysis and research, and suggest using DNSSEC
> to mitigate this if users deem it necessary, stating that "unsecured DNS is
> not designed to be relied on for security".

Even though ISC security advisory has not been updated, a fix addressing this as been included in newer bind releases:

3282.	[bug]		Restrict the TTL of NS RRset to no more than that
			of the old NS RRset when replacing it.
			[RT #27792] [RT #27884]

That change is available in bind versions 9.9.0, 9.8.2, 9.7.5, and 9.6-ESV-R6.
Comment 20 Tomas Hoger 2012-05-30 03:09:27 EDT
(In reply to comment #17)
> Even though ISC security advisory has not been updated, a fix addressing
> this as been included in newer bind releases:
> 
> 3282.	[bug]		Restrict the TTL of NS RRset to no more than that
> 			of the old NS RRset when replacing it.
> 			[RT #27792] [RT #27884]
> 
> That change is available in bind versions 9.9.0, 9.8.2, 9.7.5, and
> 9.6-ESV-R6.

Revision 2.1 from May 29, 2012 is updated with the above information:
  http://www.isc.org/software/bind/advisories/cve-2012-1033
Comment 24 errata-xmlrpc 2012-06-07 12:43:55 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0717 https://rhn.redhat.com/errata/RHSA-2012-0717.html
Comment 25 errata-xmlrpc 2012-06-07 12:55:49 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0716 https://rhn.redhat.com/errata/RHSA-2012-0716.html

Note You need to log in before you can comment on or make changes to this bug.