From cb61e1dd1da51e1c9cc8eb4aef5805c571baf45f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 25 Mar 2020 17:44:51 +1100 Subject: [PATCH 1/4] Check that a 'BADTIME' response with 'QR=0' is handled as a request --- bin/tests/system/tsig/badtime | 37 ++++++++++++++++++++++++++++++++++ bin/tests/system/tsig/tests.sh | 9 +++++++++ util/copyrights | 1 + 3 files changed, 47 insertions(+) create mode 100644 bin/tests/system/tsig/badtime diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime new file mode 100644 index 0000000000..7926404cfb --- /dev/null +++ b/bin/tests/system/tsig/badtime @@ -0,0 +1,37 @@ +# Transaction ID +1122 +# Standard query +0000 +# Questions: 1, Additional: 1 +0001 0000 0000 0001 +# QNAME: isc.org +03 69 73 63 03 6F 72 67 00 +# Type: A (Host Address) +0001 +# Class: IN +0001 +# Specially crafted TSIG Resource Record +# Name: "sha256" +06 73 68 61 32 35 36 00 +# Type: TSIG (Transaction Signature) +00fa +# Class: ANY +00ff +# TTL: 0 +00000000 +# RdLen: 29 +001d +# Algorithm Name: hmac-sha256 +0b 68 6D 61 63 2D 73 68 61 32 35 36 00 +# Time Signed: Jan 1, 1970 01:00:00.000000000 CET +00 00 00 00 00 00 +# Fudge: 300 +012c +# MAC Size: 0; MAC: empty +0000 +# Original ID: 0 +0000 +# Error: BADSIG +0010 +# Other Data Length: 0 +0000 diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh index 6664ae0a88..31f031ea7b 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh @@ -212,5 +212,14 @@ ret=0 $KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out3 2>&1 && ret=1 grep "unknown algorithm" keygen.out3 > /dev/null || ret=1 +echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request" +ret=0 +$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null +$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1 +grep "status: NOERROR" dig.out.verify > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/util/copyrights b/util/copyrights index 35273cb4f8..ee53272280 100644 --- a/util/copyrights +++ b/util/copyrights @@ -863,6 +863,7 @@ ./bin/tests/system/tools/clean.sh SH 2017,2018,2019,2020 ./bin/tests/system/tools/setup.sh SH 2019,2020 ./bin/tests/system/tools/tests.sh SH 2017,2018,2019,2020 +./bin/tests/system/tsig/badtime X 2020 ./bin/tests/system/tsig/clean.sh SH 2005,2006,2007,2012,2014,2016,2018,2019,2020 ./bin/tests/system/tsig/setup.sh SH 2016,2017,2018,2019,2020 ./bin/tests/system/tsig/tests.sh SH 2005,2006,2007,2011,2012,2016,2018,2019,2020 From 2d95c81452096478f0dbb071db21b2fba1df5bc1 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 25 Mar 2020 17:46:26 +1100 Subject: [PATCH 2/4] Only look at tsig.error in responses --- lib/dns/tsig.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index 02a6775502..c940469520 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -1360,8 +1360,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, goto cleanup_context; } msg->verified_sig = 1; - } else if (tsig.error != dns_tsigerror_badsig && - tsig.error != dns_tsigerror_badkey) + } else if (!response || (tsig.error != dns_tsigerror_badsig && + tsig.error != dns_tsigerror_badkey)) { tsig_log(msg->tsigkey, 2, "signature was empty"); return (DNS_R_TSIGVERIFYFAILURE); @@ -1409,7 +1409,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, } } - if (tsig.error != dns_rcode_noerror) { + if (response && tsig.error != dns_rcode_noerror) { msg->tsigstatus = tsig.error; if (tsig.error == dns_tsigerror_badtime) { ret = DNS_R_CLOCKSKEW; From 52b4395a0c95a8f63c52bfcf8bb7a790945ae3de Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 30 Mar 2020 11:18:52 +1100 Subject: [PATCH 3/4] Add CHANGES entry --- CHANGES | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index b74f254722..ce1860a8dd 100644 --- a/CHANGES +++ b/CHANGES @@ -91,7 +91,9 @@ from the Git repository, run "autoreconf -fi" first. [GL #4] -5390. [placeholder] +5390. [security] Replaying a TSIG BADTIME response as a request could + trigger an assertion failure. (CVE-2020-8617) + [GL #1703] 5389. [bug] Finish PKCS#11 code cleanup, fix a couple of smaller bugs and use PKCS#11 v3.0 EdDSA macros and constants. From 2a020ea970f826e58420a94366a1a400cb82a45e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 30 Mar 2020 11:49:46 +1100 Subject: [PATCH 4/4] Add release note entry --- doc/notes/notes-current.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 3c31be1022..b5362fb5ad 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -14,7 +14,8 @@ Notes for BIND 9.17.2 Security Fixes ~~~~~~~~~~~~~~ -- None. +- Replaying a TSIG BADTIME response as a request could trigger an + assertion failure. This was disclosed in CVE-2020-8617. [GL #1703] Known Issues ~~~~~~~~~~~~