Bug 248850 (CVE-2007-2925) - CVE-2007-2925 bind allow-query-cache/allow-recursion default ACL issue
Summary: CVE-2007-2925 bind allow-query-cache/allow-recursion default ACL issue
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-2925
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-07-19 08:07 UTC by Mark J. Cox
Modified: 2021-11-12 19:40 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-05 14:35:44 UTC
Embargoed:

Attachments (Terms of Use)

Description Mark J. Cox 2007-07-19 08:07:50 UTC 
Internet Systems Consortium Security Advisory.

                BIND 9: allow-query-cache/allow-recursion
                default acls not set.

                            17 July 2007

Versions affected:

    BIND 9.4.0, 9.4.1
    BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5

Severity: Medium.

Description:

    The default access control lists (acls) are not being correctly
    set.  If not set anyone can make recursive queries and/or query
    the cache contents.

Workaround:

    Explicitly set allow-query-cache and allow-recursion acl's
    if not already set to "{ localnets; localhost; };".

    If recursion is supposed to be allowed to local clients (default).

        options {
            recursion yes;  // default
            allow-recursion { localnets; localhost; };
            allow-query-cache { localnets; localhost; };
            ...
        };

    If recursion is disallowed.

        options {
            recursion no;
            allow-query-cache { localnets; localhost; };
            ...
        };

Fix:

    Upgrade to BIND BIND 9.4.1-P1, BIND 9.4.2 or BIND 9.5.0a6.

    Questions should be addressed to bind9-bugs.

CVE:    CVE-2007-2925   (CERT-US VU#187297)

** embargo set to 23 July 2007 **
Comment 1 Adam Tkac 2007-07-19 09:18:11 UTC 
I've found some additional problem around this

2206.   [security]      "allow-query-cache" and "allow-recursion" now
                        cross inherit from each other.

                        If allow-query-cache is not set in named.conf then
                        allow-recursion is used if set, otherwise allow-query
                        is used if set, otherwise the default (localnets;
                        localhost;) is used.

                        If allow-recursion is not set in named.conf then
                        allow-query-cache is used if set, otherwise allow-query
                        is used if set, otherwise the default (localnets;
                        localhost;) is used.

Only F7 and rawhide are affected. allow-query-cache option doesn't exist in
RHELs and <= Fedora 6 (problem with relation between allow-recursion and
allow-query-cache doesn't exist).

Second problem is in default allow-recursion acl setup. In >= 9.4 are default
acls { localhost; localnet; }; and these wasn't set correctly. In bind < 9.4 are
default acls { any; }; (when any is specified it means NULL pointer in BIND's
code - no setup is needed)

Adam
Comment 2 Tomas Hoger 2007-09-07 07:59:43 UTC 
Issue is public now, opening bug.
Comment 3 Tomas Hoger 2008-06-05 14:35:44 UTC 
This issue did not affect the versions of bind as shipped with Red Hat
Enterprise Linux 2.1, 3, 4, or 5.

Fedora bind versions already updated to fixed upstream version.
Note You need to log in before you can comment on or make changes to this bug.