From 7983015dfa58be21526a01300b9e13a84278266a Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Mon, 4 Jun 2018 21:55:41 -0700 Subject: [PATCH] allow-recursion could incorrectly inherit from the default allow-query --- bin/named/server.c | 50 ++++++++++++++++++++++++++++++++++++-------------- doc/arm/notes.xml | 41 +++++------------------------------------ 2 files changed, 41 insertions(+), 50 deletions(-) diff --git a/bin/named/server.c b/bin/named/server.c index 64a5180..41a1826 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -3376,10 +3376,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, dns_acache_setcachesize(view->acache, max_acache_size); } - CHECK(configure_view_acl(vconfig, config, ns_g_config, - "allow-query", NULL, actx, - ns_g_mctx, &view->queryacl)); - /* * Make the list of response policy zone names for a view that * is used for real lookups and so cares about hints. @@ -4258,9 +4254,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, INSIST(result == ISC_R_SUCCESS); view->trust_anchor_telemetry = cfg_obj_asboolean(obj); - CHECK(configure_view_acl(vconfig, config, ns_g_config, - "allow-query-cache-on", NULL, actx, - ns_g_mctx, &view->cacheonacl)); /* * Set sources where additional data and CNAME/DNAME * targets for authoritative answers may be found. @@ -4287,22 +4280,40 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, view->additionalfromcache = ISC_TRUE; } + CHECK(configure_view_acl(vconfig, config, ns_g_config, + "allow-query-cache-on", NULL, actx, + ns_g_mctx, &view->cacheonacl)); + /* - * Set "allow-query-cache", "allow-recursion", and - * "allow-recursion-on" acls if configured in named.conf. - * (Ignore the global defaults for now, because these ACLs - * can inherit from each other when only some of them set at - * the options/view level.) + * Set the "allow-query", "allow-query-cache", "allow-recursion", + * and "allow-recursion-on" ACLs if configured in named.conf, but + * NOT from the global defaults. This is done by leaving the third + * argument to configure_view_acl() NULL. + * + * We ignore the global defaults here because these ACLs + * can inherit from each other. If any are still unset after + * applying the inheritance rules, we'll look up the defaults at + * that time. */ - CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache", - NULL, actx, ns_g_mctx, &view->cacheacl)); + + /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-query", NULL, actx, + ns_g_mctx, &view->queryacl)); + + /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-query-cache", NULL, actx, + ns_g_mctx, &view->cacheacl)); if (strcmp(view->name, "_bind") != 0 && view->rdclass != dns_rdataclass_chaos) { + /* named.conf only */ CHECK(configure_view_acl(vconfig, config, NULL, "allow-recursion", NULL, actx, ns_g_mctx, &view->recursionacl)); + /* named.conf only */ CHECK(configure_view_acl(vconfig, config, NULL, "allow-recursion-on", NULL, actx, ns_g_mctx, &view->recursiononacl)); @@ -4340,18 +4351,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, * the global config. */ if (view->recursionacl == NULL) { + /* global default only */ CHECK(configure_view_acl(NULL, NULL, ns_g_config, "allow-recursion", NULL, actx, ns_g_mctx, &view->recursionacl)); } if (view->recursiononacl == NULL) { + /* global default only */ CHECK(configure_view_acl(NULL, NULL, ns_g_config, "allow-recursion-on", NULL, actx, ns_g_mctx, &view->recursiononacl)); } if (view->cacheacl == NULL) { + /* global default only */ CHECK(configure_view_acl(NULL, NULL, ns_g_config, "allow-query-cache", NULL, actx, ns_g_mctx, @@ -4365,6 +4379,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, CHECK(dns_acl_none(mctx, &view->cacheacl)); } + if (view->queryacl == NULL) { + /* global default only */ + CHECK(configure_view_acl(NULL, NULL, ns_g_config, + "allow-query", NULL, + actx, ns_g_mctx, + &view->queryacl)); + } + /* * Ignore case when compressing responses to the specified * clients. This causes case not always to be preserved, diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index ea9b61f..9a1832d 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -103,42 +103,11 @@ - An error in TSIG handling could permit unauthorized zone - transfers or zone updates. These flaws are disclosed in - CVE-2017-3142 and CVE-2017-3143. [RT #45383] - - - - - The BIND installer on Windows used an unquoted service path, - which can enable privilege escalation. This flaw is disclosed - in CVE-2017-3141. [RT #45229] - - - - - With certain RPZ configurations, a response with TTL 0 - could cause named to go into an infinite - query loop. This flaw is disclosed in CVE-2017-3140. - [RT #45181] - - - - - Addresses could be referenced after being freed during resolver - processing, causing an assertion failure. The chances of this - happening were remote, but the introduction of a delay in - resolution increased them. This bug is disclosed in - CVE-2017-3145. [RT #46839] - - - - - update-policy rules that otherwise ignore the name field now - require that it be set to "." to ensure that any type list - present is properly interpreted. If the name field was omitted - from the rule declaration and a type list was present it wouldn't - be interpreted as expected. + When recursion is enabled but the allow-recursion + and allow-query-cache ACLs are not specified, they + should be limited to local networks, but they were inadvertently set + to match the default allow-query, thus allowing + remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] -- 2.14.4