Document Version: 2.0
Posting date: 06 November 2013
Versions affected: Windows versions 9.6-ESV->9.6-ESV-R10, 9.8.0->9.8.6, 9.9.0->9.9.4; Subscription: 9.9.3-S1 and 9.9.4-S1. ONLY Windows servers are affected.
Severity: High, for Windows systems with a specific netmask value set.
On some Microsoft Windows systems, a network interface that has an "all ones" IPv4 subnet mask (255.255.255.255) will be incorrectly reported (by the Winsock WSAIoctl API) as an all zeros value (0.0.0.0). Because interfaces' netmasks are used to compute the broadcast domain for each interface during construction of the built-in "localnets" ACL, an all zeroes netmask can cause matches on any IPv4 address, permitting unexpected access to any BIND feature configured to allow access to "localnets". And unless overridden by a specific value in named.conf, the default permissions for several BIND features (for example, allow-query-cache, allow-query-cache-on, allow-recursion, and others) use this predefined "localnets" ACL.
In addition, non-default access controls and other directives using an address match list with the predefined "localnets" ACL may not match as expected. This may include rndc "controls", "allow-notify", "allow-query", "allow-transfer", "allow-update", "blackhole", "filter-aaaa", "deny-answer-addresses", "exempt-clients", and other directives if an administrator has specified the "localnets" ACL in their match lists.
A support ticket has been filed with Microsoft for this winsock bug but Windows server administrators should use the workaround or upgrade to patched versions of BIND which override the incorrect value supplied by the flawed winsock call.
Only systems running versions of Microsoft Windows which have the flawed winsock call are vulnerable to this defect. Unix servers are not affected.
Under this defect, access controls and other directives which use "localnets" as part of the address match list may match much more broadly than was intended by the server administrator. Please note that in addition to configuration statements where the "localnets" acl is used explicitly, "localnets" may also be used in the default behavior for some features (such as "allow-recursion") unless specifically overridden in the configuration file. Allowing recursion to all reachable IPv4 addresses entails a number of risks, including increased exposure to cache poisoning and the possibility of being used in a reflection attack.
It is possible that in a small number of environments that correcting this defect may result in denial of service to desired clients that were previously permitted (erroneously) because of over-broad interpretation of "localnets". When upgrading to a patched version, administrators are advised to double-check their configuration file to confirm that all features which are controlled by access control lists are permitted appropriately.
CVSS Score: 6.8
CVSS Equation: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P).
On Windows, make sure you are not using a 255.255.255.255 netmask; or, if you have to use the 255.255.255.255 netmask, make sure you are not allowing default ACLs that contain "localnets".
For other scenarios on Windows, we recommend that administrators do not use the "localnets" ACL without using the patched version.
No known active exploits but a public discussion of the issue has taken place on a public mailing list and in a blog article.
Solution: Upgrade to the patched release most closely related to your current version of BIND. Open source versions can all be downloaded from http://www.isc.org/downloads. Subscription version customers will be contacted directly by ISC Support regarding delivery.
- BIND 9 version 9.6-ESV-R10-P1
- BIND 9 version 9.8.6-P1
- BIND 9 version 9.9.4-P1
Please Note: Older versions of BIND that are beyond their "end of life" (EOL) no longer receive testing or security fixes from ISC. For current information on which versions are actively supported, please see http://www.isc.org/downloads/software-support-policy/bind-software-status/.