Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4F96D904.5030201@redhat.com>
Date: Tue, 24 Apr 2012 18:47:00 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security@...ts.openwall.com, Adam Tkac <atkac@...hat.com>,
        Petr Spacek <pspacek@...hat.com>
Subject: CVE Request -- bind-dyndb-ldap: Bind DoS (named hang) by processing
 DNS query for zone served by bind-dyndb-ldap

Note: First time mangled email address of Petr Spacek =>
       apologize if you got this email two times. Anyway:

Hello Kurt, Steve, vendors,

   a denial of service flaw was found in the way the bind-dyndb-ldap, a dynamic
LDAP back-end plug-in for BIND providing LDAP database back-end capabilities,
performed LDAP connection errors handling / attempted to recover, when an error
during a LDAP search happened for a particular DNS query. When the Berkeley
Internet Name Domain (BIND) server was patched to support dynamic loading of
database back-ends, and the LDAP database back-end was enabled, a remote
attacker could use this flaw to cause denial of service (named process hang)
via DNS query for zone served by bind-dyndb-ldap.

bind-dyndb-ldap backend upstream commit, which introduced the problem:
[1] 
http://git.fedorahosted.org/git/?p=bind-dyndb-ldap.git;a=commit;h=a7a47212beb01c5083768bdd4170250e7f7cf188

Preliminary bind-dyndb-ldap back-end upstream patch from Adam Tkac:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=815846#c1

References:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=815846
[4] https://www.redhat.com/archives/freeipa-users/2012-April/msg00145.html

Note: Just to explicitly note this. This is NOT a bind DoS in the sense
       upstream bind source package would be affected by it. Bind
       needs to be first patched to support dynamic loading of database
       backends and it's an error in the LDAP backend (bind-dyndb-ldap
       source code) which makes this attack to succeed when a specially-crafted
       DNS query is issued.

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.