Internet Systems Consortium Security Advisory. BIND 9: allow-query-cache/allow-recursion default acls not set. 17 July 2007 Versions affected: BIND 9.4.0, 9.4.1 BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5 Severity: Medium. Description: The default access control lists (acls) are not being correctly set. If not set anyone can make recursive queries and/or query the cache contents. Workaround: Explicitly set allow-query-cache and allow-recursion acl's if not already set to "{ localnets; localhost; };". If recursion is supposed to be allowed to local clients (default). options { recursion yes; // default allow-recursion { localnets; localhost; }; allow-query-cache { localnets; localhost; }; ... }; If recursion is disallowed. options { recursion no; allow-query-cache { localnets; localhost; }; ... }; Fix: Upgrade to BIND BIND 9.4.1-P1, BIND 9.4.2 or BIND 9.5.0a6. Questions should be addressed to bind9-bugs. CVE: CVE-2007-2925 (CERT-US VU#187297) ** embargo set to 23 July 2007 **
I've found some additional problem around this 2206. [security] "allow-query-cache" and "allow-recursion" now cross inherit from each other. If allow-query-cache is not set in named.conf then allow-recursion is used if set, otherwise allow-query is used if set, otherwise the default (localnets; localhost;) is used. If allow-recursion is not set in named.conf then allow-query-cache is used if set, otherwise allow-query is used if set, otherwise the default (localnets; localhost;) is used. Only F7 and rawhide are affected. allow-query-cache option doesn't exist in RHELs and <= Fedora 6 (problem with relation between allow-recursion and allow-query-cache doesn't exist). Second problem is in default allow-recursion acl setup. In >= 9.4 are default acls { localhost; localnet; }; and these wasn't set correctly. In bind < 9.4 are default acls { any; }; (when any is specified it means NULL pointer in BIND's code - no setup is needed) Adam
Issue is public now, opening bug.
This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Fedora bind versions already updated to fixed upstream version.