Debian DSA-5504-1 : bind9 - security update

2023-09-2300:00:00

www.tenable.com

debian

dsa-5504-1

bind9

security update

vulnerabilities

stack memory

termination

dns-over-tls

networking code

assertion failure

cve-2023-3341

cve-2023-4236

8.1 High

AI Score

Confidence

High

JSON

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5504 advisory.

The code that processes control channel messages sent to named calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key;
only network access to the control channel’s configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1. (CVE-2023-3341)
A flaw in the networking code handling DNS-over-TLS queries may cause named to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1. (CVE-2023-4236)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5504. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(181817);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/16");

  script_cve_id("CVE-2023-3341", "CVE-2023-4236");
  script_xref(name:"IAVA", value:"2023-A-0500-S");

  script_name(english:"Debian DSA-5504-1 : bind9 - security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dsa-5504 advisory.

  - The code that processes control channel messages sent to `named` calls certain functions recursively
    during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on
    the environment, this may cause the packet-parsing code to run out of available stack memory, causing
    `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its
    contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key;
    only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9
    versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through
    9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1. (CVE-2023-3341)

  - A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly
    due to an assertion failure. This happens when internal data structures are incorrectly reused under
    significant DNS-over-TLS query load. This issue affects BIND 9 versions 9.18.0 through 9.18.18 and
    9.18.11-S1 through 9.18.18-S1. (CVE-2023-4236)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052416");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/bind9");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2023/dsa-5504");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-3341");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-4236");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/bind9");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bookworm/bind9");
  script_set_attribute(attribute:"solution", value:
"Upgrade the bind9 packages.

For the stable distribution (bookworm), these problems have been fixed in version 1");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-4236");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/09/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/09/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bind9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bind9-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bind9-dnsutils");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bind9-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bind9-host");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bind9-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bind9-utils");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bind9utils");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dnsutils");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+|^(12)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0 / 12.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '11.0', 'prefix': 'bind9', 'reference': '1:9.16.44-1~deb11u1'},
    {'release': '11.0', 'prefix': 'bind9-dev', 'reference': '1:9.16.44-1~deb11u1'},
    {'release': '11.0', 'prefix': 'bind9-dnsutils', 'reference': '1:9.16.44-1~deb11u1'},
    {'release': '11.0', 'prefix': 'bind9-doc', 'reference': '1:9.16.44-1~deb11u1'},
    {'release': '11.0', 'prefix': 'bind9-host', 'reference': '1:9.16.44-1~deb11u1'},
    {'release': '11.0', 'prefix': 'bind9-libs', 'reference': '1:9.16.44-1~deb11u1'},
    {'release': '11.0', 'prefix': 'bind9-utils', 'reference': '1:9.16.44-1~deb11u1'},
    {'release': '11.0', 'prefix': 'bind9utils', 'reference': '1:9.16.44-1~deb11u1'},
    {'release': '11.0', 'prefix': 'dnsutils', 'reference': '1:9.16.44-1~deb11u1'},
    {'release': '12.0', 'prefix': 'bind9', 'reference': '1:9.18.19-1~deb12u1'},
    {'release': '12.0', 'prefix': 'bind9-dev', 'reference': '1:9.18.19-1~deb12u1'},
    {'release': '12.0', 'prefix': 'bind9-dnsutils', 'reference': '1:9.18.19-1~deb12u1'},
    {'release': '12.0', 'prefix': 'bind9-doc', 'reference': '1:9.18.19-1~deb12u1'},
    {'release': '12.0', 'prefix': 'bind9-host', 'reference': '1:9.18.19-1~deb12u1'},
    {'release': '12.0', 'prefix': 'bind9-libs', 'reference': '1:9.18.19-1~deb12u1'},
    {'release': '12.0', 'prefix': 'bind9-utils', 'reference': '1:9.18.19-1~deb12u1'},
    {'release': '12.0', 'prefix': 'bind9utils', 'reference': '1:9.18.19-1~deb12u1'},
    {'release': '12.0', 'prefix': 'dnsutils', 'reference': '1:9.18.19-1~deb12u1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bind9 / bind9-dev / bind9-dnsutils / bind9-doc / bind9-host / etc');
}

VendorProductVersionCPE
debiandebian_linuxbind9p-cpe:/a:debian:debian_linux:bind9
debiandebian_linuxbind9-devp-cpe:/a:debian:debian_linux:bind9-dev
debiandebian_linuxbind9-dnsutilsp-cpe:/a:debian:debian_linux:bind9-dnsutils
debiandebian_linuxbind9-docp-cpe:/a:debian:debian_linux:bind9-doc
debiandebian_linuxbind9-hostp-cpe:/a:debian:debian_linux:bind9-host
debiandebian_linuxbind9-libsp-cpe:/a:debian:debian_linux:bind9-libs
debiandebian_linuxbind9-utilsp-cpe:/a:debian:debian_linux:bind9-utils
debiandebian_linuxbind9utilsp-cpe:/a:debian:debian_linux:bind9utils
debiandebian_linuxdnsutilsp-cpe:/a:debian:debian_linux:dnsutils
debiandebian_linux11.0cpe:/o:debian:debian_linux:11.0

Vendor	Product	Version	CPE
debian	debian_linux	bind9	p-cpe:/a:debian:debian_linux:bind9
debian	debian_linux	bind9-dev	p-cpe:/a:debian:debian_linux:bind9-dev
debian	debian_linux	bind9-dnsutils	p-cpe:/a:debian:debian_linux:bind9-dnsutils
debian	debian_linux	bind9-doc	p-cpe:/a:debian:debian_linux:bind9-doc
debian	debian_linux	bind9-host	p-cpe:/a:debian:debian_linux:bind9-host
debian	debian_linux	bind9-libs	p-cpe:/a:debian:debian_linux:bind9-libs
debian	debian_linux	bind9-utils	p-cpe:/a:debian:debian_linux:bind9-utils
debian	debian_linux	bind9utils	p-cpe:/a:debian:debian_linux:bind9utils
debian	debian_linux	dnsutils	p-cpe:/a:debian:debian_linux:dnsutils
debian	debian_linux	11.0	cpe:/o:debian:debian_linux:11.0