diff --git a/CHANGES b/CHANGES index 4bfa275e5f..7819b610f5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5390. [security] Replaying a TSIG BADTIME response as a request could + trigger an assertion failure. (CVE-2020-8617) + [GL #1703] + 5376. [bug] Fix ineffective DNS rebinding protection when BIND is configured as a forwarding DNS server. Thanks to Tobias Klein. [GL #1574] diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime new file mode 100644 index 0000000000..7926404cfb --- /dev/null +++ b/bin/tests/system/tsig/badtime @@ -0,0 +1,37 @@ +# Transaction ID +1122 +# Standard query +0000 +# Questions: 1, Additional: 1 +0001 0000 0000 0001 +# QNAME: isc.org +03 69 73 63 03 6F 72 67 00 +# Type: A (Host Address) +0001 +# Class: IN +0001 +# Specially crafted TSIG Resource Record +# Name: "sha256" +06 73 68 61 32 35 36 00 +# Type: TSIG (Transaction Signature) +00fa +# Class: ANY +00ff +# TTL: 0 +00000000 +# RdLen: 29 +001d +# Algorithm Name: hmac-sha256 +0b 68 6D 61 63 2D 73 68 61 32 35 36 00 +# Time Signed: Jan 1, 1970 01:00:00.000000000 CET +00 00 00 00 00 00 +# Fudge: 300 +012c +# MAC Size: 0; MAC: empty +0000 +# Original ID: 0 +0000 +# Error: BADSIG +0010 +# Other Data Length: 0 +0000 diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh index 3a720decfc..c917dcf499 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh @@ -213,5 +213,14 @@ ret=0 $KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out3 2>&1 && ret=1 grep "unknown algorithm" keygen.out3 > /dev/null || ret=1 +echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request" +ret=0 +$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null +$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1 +grep "status: NOERROR" dig.out.verify > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/doc/arm/notes-9.14.12.xml b/doc/arm/notes-9.14.12.xml index 94fc82e69b..47b919e0ef 100644 --- a/doc/arm/notes-9.14.12.xml +++ b/doc/arm/notes-9.14.12.xml @@ -13,6 +13,13 @@
Security Fixes + + + Replaying a TSIG BADTIME response as a request could + trigger an assertion failure. This was disclosed in + CVE-2020-8617. [GL #1703] + + DNS rebinding protection was ineffective when BIND 9 is configured as diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index c89d399632..929de8166e 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -1338,8 +1338,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, goto cleanup_context; } msg->verified_sig = 1; - } else if (tsig.error != dns_tsigerror_badsig && - tsig.error != dns_tsigerror_badkey) { + } else if (!response || (tsig.error != dns_tsigerror_badsig && + tsig.error != dns_tsigerror_badkey)) + { tsig_log(msg->tsigkey, 2, "signature was empty"); return (DNS_R_TSIGVERIFYFAILURE); } @@ -1388,7 +1389,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, } } - if (tsig.error != dns_rcode_noerror) { + if (response && tsig.error != dns_rcode_noerror) { msg->tsigstatus = tsig.error; if (tsig.error == dns_tsigerror_badtime) ret = DNS_R_CLOCKSKEW; diff --git a/util/copyrights b/util/copyrights index 56c8b2f527..c4b1aec2c4 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1125,6 +1125,7 @@ ./bin/tests/system/tools/clean.sh SH 2017,2018,2019,2020 ./bin/tests/system/tools/setup.sh SH 2019,2020 ./bin/tests/system/tools/tests.sh SH 2017,2018,2019,2020 +./bin/tests/system/tsig/badtime X 2020 ./bin/tests/system/tsig/clean.sh SH 2005,2006,2007,2012,2014,2016,2018,2019,2020 ./bin/tests/system/tsig/setup.sh SH 2016,2017,2018,2019,2020 ./bin/tests/system/tsig/tests.sh SH 2005,2006,2007,2011,2012,2016,2018,2019,2020