Bug 838761 - ndjbdns vulnerable to cve-2012-1191 (ghost domain attack)
ndjbdns vulnerable to cve-2012-1191 (ghost domain attack)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: ndjbdns (Show other bugs)
17
All All
unspecified Severity urgent
: ---
: ---
Assigned To: pjp
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-09 23:04 EDT by Mark Johnson
Modified: 2013-02-01 12:20 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-01 11:47:48 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Mark Johnson 2012-07-09 23:04:39 EDT
Description of problem:  ndjbdns is vulnerable to CVE-2012-1191 (ghost domain attack)


Version-Release number of selected component (if applicable):  all


How reproducible:  https://www.isc.org/files/imce/ghostdomain_camera.pdf


Steps to Reproduce:
1.  Cause the victim resolver to resolve and cache malicious domain before it is removed from the root.
2.  Manipulate the victim resolver to continue to cache delegation data for the malicious domain after the original expiration time.
3.  Profit!
  
Actual results:  Malicious removed domain still resolvable by victim resolver.


Expected results:  Targeted resolver unable / refuses to resolve removed malicious domain.


Additional info:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1191
Comment 1 pjp 2013-01-13 13:17:46 EST
I have applied the patch to fix this issue. Please have a look at:

 -> https://github.com/pjps/ndjbdns/commit/c90dbbbac5622e2744733f39e037263e63b51266

Thank you.
Comment 2 Fedora Update System 2013-01-20 07:36:32 EST
ndjbdns-1.05.6-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/ndjbdns-1.05.6-1.fc16
Comment 3 Fedora Update System 2013-01-20 07:36:45 EST
ndjbdns-1.05.6-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/ndjbdns-1.05.6-1.fc17
Comment 4 Fedora Update System 2013-01-20 07:36:55 EST
ndjbdns-1.05.6-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/ndjbdns-1.05.6-1.fc18
Comment 5 Fedora Update System 2013-01-22 20:24:33 EST
Package ndjbdns-1.05.6-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ndjbdns-1.05.6-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-1176/ndjbdns-1.05.6-1.fc18
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2013-02-01 11:47:49 EST
ndjbdns-1.05.6-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-02-01 12:15:41 EST
ndjbdns-1.05.6-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-02-01 12:20:03 EST
ndjbdns-1.05.6-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.