Re: Two new vulnerabilities in BIND: CVE-2015-5722 and CVE-2015-5986 are now public

[Florian Weimer <fweimer () redhat com>]

On 09/02/2015 10:52 PM, ISC Security Officer wrote:
> Please be advised that ISC publicly announced two critical
> vulnerabilities in BIND:
>
> + CVE-2015-5722 is a denial-of-service vector which can be
>   exploited remotely against a BIND server that is performing
>   validation on DNSSEC-signed records. All versions of BIND since
>   9.0.0 are vulnerable.
>   https://kb.isc.org/article/AA-01287

Your patch had quite good obfuscation, and it took me a while to see
where the actual fix was.  Was this deliberate?

But anyway, we can confirm it's exploitable over the network.  Nice
analysis, I would not have immediately seen that if I only had Hanno's
reproducer.

For validating recursors, it's actually quite a bit worse than
CVE-2015-5477 because CVE-2015-5722 does not require a completely
crafted query, just an attacker-controlled QNAME (which can be in the
in-addr.arpa or ip6.arpa tree) is sufficient.  So attacks could be
reflected through basically anything.

> + CVE-2015-5986 is a denial-of-service vector which can be used
>   against a BIND server that is performing recursion and (under
>   limited conditions) an authoritative-only nameserver.
>   Versions of BIND since 9.9.7 and 9.10.2 are vulnerable.
>   https://kb.isc.org/article/AA-01291

This can't be reflected as easily, only through applications that use
the affected record type.

-- 
Florian Weimer / Red Hat Product Security