Recursive DNS resolver implementations may follow referrals infinitely

2014-12-09T00:00:00
ID VU:264212
Type cert
Reporter CERT
Modified 2015-10-27T02:27:00

Description

Overview

Recursive DNS resolvers may become stuck following an infinite chain of referrals due to a malicious authoritative server.

Description

RFC 1034 describes the standard technical issues of enabling domain delegations in DNS, but does not provide a specific implementation, leaving DNS servers to provide their own methods to implement RFC 1034. In some implementations of recursive resolvers, a query to a malicious authoritative server may cause the resolver to follow an infinite chain of referrals. Attempting to follow the infinite chain can cause a denial-of-service (DoS) situation on the DNS resolver due to resource exhaustion.

This issue primarily affects recursive resolvers. Additionally, as noted in ISC Security Advisory AA-01216: "Authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone."

Depending on how the resolver handles out-of-bailiwick glue records and performs simultaneous queries, it may also be possible to cause the resolver to perform a DoS attack on a target using DNS traffic.


Impact

A recursive DNS resolver following an infinite chain of referrals can result in high process memory and CPU usage and eventually process termination. The effect can range from increased server response time to clients to complete interruption of the service.

Resolvers that follow multiple referrals at once can cause large bursts of network traffic.


Solution

Apply an update

These issues are addressed by limiting the maximum number of referrals followed and the number of simultaneous queries. See the Vendor Information section below for information about specific vendors.


Vendor Information

264212

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

EfficientIP

Notified: December 11, 2014 Updated: May 11, 2015

Statement Date: December 22, 2014

Status

__ Affected

Vendor Statement

`All products are affected if they are used as a recursive DNS server. All versions are affected. Upgrade to the latest patch of your release: 5.0.4.p1 or 5.0.3.p4.

Available releases can be downloaded at: `<http://www.efficientip.com/support-services/>

Vendor Information

CVE-2014-8602 covers this vulnerability if you are running Unbound. CVE-2014-8500 covers this vulnerability if you are running BIND.

Vendor References

  • <http://www.efficientip.com/support-services/>

Infoblox

Notified: November 24, 2014 Updated: December 11, 2014

Statement Date: December 11, 2014

Status

__ Affected

Vendor Statement

"`All versions of NIOS prior to 6.8.13, 6.10.11, 6.11.7 and 6.12.2 are affected
by the vulnerability.

Please update to fixed versions available through the Infoblox support site or
contact Infoblox Support for further assistance.`"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Internet Systems Consortium

Updated: December 09, 2014

Status

__ Affected

Vendor Statement

Upgrade to the patched release most closely related to your current version of BIND. Patched builds of currently supported branches of BIND (9.9 and 9.10) can be downloaded via http://www.isc.org/downloads

* BIND 9 version 9.9.6-P1
* BIND 9 version 9.10.1-P1

Vendor Information

This vulnerability has been fixed in the latest version of BIND. Users are encouraged to update BIND as soon as possible. This issue in BIND is assigned CVE-2014-8500.

Vendor References

* &lt;https://kb.isc.org/article/AA-01216/0&gt;

MaraDNS

Notified: December 03, 2014 Updated: January 26, 2015

Statement Date: January 24, 2015

Status

__ Affected

Vendor Statement

"`I have released MaraDNS 2.0.10, MaraDNS 1.4.15, and Deadwood 3.2.06
which are patched against this possible vulnerability.

Downloads are available at <http://maradns.samiam.org/download/> and
<https://github.com/samboy/MaraDNS>`".

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://maradns.samiam.org/download/>
  • <https://github.com/samboy/MaraDNS>
  • <https://github.com/samboy/MaraDNS/commit/1f694df9fb972d59d77167fff9bbdd095dc5d1b4>
  • <https://github.com/samboy/MaraDNS/commit/c5c49306ed1f2627774dae27313a2b58d9a9ac6d>

NEC Corporation

Updated: October 26, 2015

Status

__ Affected

Vendor Statement

We provide information on this issue at the following URL <<http://jpn.nec.com/security-info/secinfo/nv15-008.html>>(only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://jpn.nec.com/security-info/secinfo/nv15-008.html>

NLnet Labs

Updated: December 09, 2014

Status

__ Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

CVE-2014-8602 covers this vulnerability in Unbound.

Vendor References

  • <https://unbound.net/downloads/CVE-2014-8602.txt>

PowerDNS

Updated: December 09, 2014

Status

__ Affected

Vendor Statement

Upgrade to PowerDNS Recursor 3.6.2.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://blog.powerdns.com/2014/12/08/powerdns-security-notification-2014-02/>
  • <http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/>

CZ NIC

Notified: December 17, 2014 Updated: December 18, 2014

Statement Date: December 18, 2014

Status

__ Not Affected

Vendor Statement

"Knot DNS is an authoritative-only DNS and thus is not vulnerable to this attack. We are in early stages of development for Knot DNS Resolver, so we will make sure that we mitigate this vulnerability."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

European Registry for Internet Domains

Notified: December 17, 2014 Updated: December 18, 2014

Statement Date: December 18, 2014

Status

__ Not Affected

Vendor Statement

"We are not affected by this issue as we currently do not provide a recursive resolver."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GNU adns

Notified: December 03, 2014 Updated: December 17, 2014

Statement Date: December 17, 2014

Status

__ Not Affected

Vendor Statement

"adns is a stub resolver and does not follow delegation chains at all. So it is not vulnerable."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ GNU glibc

Updated: December 18, 2014

Status

__ Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation

Notified: December 18, 2014 Updated: December 29, 2014

Statement Date: December 20, 2014

Status

__ Not Affected

Vendor Statement

"The Windows DNS server is "not affected" ... The Windows DNS server by default has ways to put a cap on the maximum effort it makes to resolve such chains. [Administrators] can further reduce or increase the cap as suited."

Vendor Information

The statement above refers to the following Microsoft TechNet Blog post describing how administrators may set the effort cap on the Microsoft DNS server:

&lt;http://blogs.technet.com/b/networking/archive/2014/12/15/handling-endless-delegation-chains-in-windows-dns-server.aspx&gt;

Vendor References

  • <http://blogs.technet.com/b/networking/archive/2014/12/15/handling-endless-delegation-chains-in-windows-dns-server.aspx>

Nominum

Notified: November 24, 2014 Updated: December 09, 2014

Statement Date: December 09, 2014

Status

__ Not Affected

Vendor Statement

"Nominum servers are not vulnerable to this attack directly".

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenDNS

Notified: December 10, 2014 Updated: December 18, 2014

Statement Date: December 10, 2014

Status

__ Not Affected

Vendor Statement

"OpenDNS is not vulnerable to this attack."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Secure64 Software Corporation

Notified: November 24, 2014 Updated: December 19, 2014

Statement Date: December 19, 2014

Status

__ Not Affected

Vendor Statement

""Secure64 servers are not directly vulnerable to this infinite recursion attack".

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

djbdns

Notified: December 03, 2014 Updated: December 10, 2014

Statement Date: December 04, 2014

Status

__ Not Affected

Vendor Statement

"All versions: Not vulnerable."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ dnsmasq

Notified: December 03, 2014 Updated: December 05, 2014

Statement Date: December 04, 2014

Status

__ Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

gdnsd

Notified: December 17, 2014 Updated: December 18, 2014

Statement Date: December 18, 2014

Status

__ Not Affected

Vendor Statement

"gdnsd is not vulnerable to this attack because it is a pure authoritative server; it never sends DNS queries to other servers."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Apple

Notified: December 03, 2014 Updated: December 03, 2014

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

__ Cisco Systems, Inc.

Notified: December 03, 2014 Updated: December 03, 2014

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

__ F5 Networks, Inc.

Notified: November 24, 2014 Updated: November 24, 2014

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

__ JH Software

Notified: December 17, 2014 Updated: December 18, 2014

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 22 vendors View less vendors

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 4.3 | AV:N/AC:M/Au:N/C:N/I:N/A:P
Temporal | 3.4 | E:POC/RL:OF/RC:C
Environmental | 3.4 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • <https://www.ietf.org/rfc/rfc1034.txt>
  • <http://cert.ssi.gouv.fr/site/CERTFR-2014-AVI-512/index.html>

Acknowledgements

ISC would like to thank Florian Maury (ANSSI) for discovering and reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: | CVE-2014-8601, CVE-2014-8500, CVE-2014-8602
---|---
Date Public: | 2014-12-08
Date First Published: | 2014-12-09
Date Last Updated: | 2015-10-27 02:27 UTC
Document Revision: | 57