ISC BIND Winsock API Vulnerability (CVE-2013-6230) - Windows

# Copyright (C) 2021 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

CPE = "cpe:/a:isc:bind";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.146642");
  script_version("2021-09-06T13:13:18+0000");
  script_tag(name:"last_modification", value:"2021-09-06 13:13:18 +0000 (Mon, 06 Sep 2021)");
  script_tag(name:"creation_date", value:"2021-09-06 12:31:07 +0000 (Mon, 06 Sep 2021)");
  script_tag(name:"cvss_base", value:"6.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:P");

  script_cve_id("CVE-2013-6230");

  script_tag(name:"qod_type", value:"remote_banner");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("ISC BIND Winsock API Vulnerability (CVE-2013-6230) - Windows");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2021 Greenbone Networks GmbH");
  script_family("General");
  script_dependencies("gb_isc_bind_consolidation.nasl", "os_detection.nasl");
  script_mandatory_keys("isc/bind/detected", "Host/runs_windows");

  script_tag(name:"summary", value:"ISC BIND is prone to a vulnerability in the Winsock API.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"On some Microsoft Windows systems, a network interface that has
  an 'all ones' IPv4 subnet mask (255.255.255.255) will be incorrectly reported (by the Winsock
  WSAIoctl API) as an all zeroes value (0.0.0.0). Because interfaces' netmasks are used to compute
  the broadcast domain for each interface during construction of the built-in 'localnets' ACL, an
  all zeroes netmask can cause matches on any IPv4 address, permitting unexpected access to any
  BIND feature configured to allow access to 'localnets'. And unless overridden by a specific value
  in named.conf, the default permissions for several BIND features (for example, allow-query-cache,
  allow-query-cache-on, allow-recursion, and others) use this predefined 'localnets' ACL.

  In addition, non-default access controls and other directives using an address match list with
  the predefined 'localnets' ACL may not match as expected. This may include rndc 'controls',
  'allow-notify', 'allow-query', 'allow-transfer', 'allow-update', 'blackhole', 'filter-aaaa',
  'deny-answer-addresses', 'exempt-clients', and other directives if an administrator has specified
  the 'localnets' ACL in their match lists.");

  script_tag(name:"impact", value:"Under this defect, access controls and other directives which
  use 'localnets' as part of the address match list may match much more broadly than was intended
  by the server administrator. Please note that in addition to configuration statements where the
  'localnets' acl is used explicitly, 'localnets' may also be used in the default behavior for some
  features (such as 'allow-recursion') unless specifically overridden in the configuration file.
  Allowing recursion to all reachable IPv4 addresses entails a number of risks, including increased
  exposure to cache poisoning and the possibility of being used in a reflection attack.");

  script_tag(name:"affected", value:"BIND 9.6-ESV through 9.6-ESV-R10, 9.8.0 through 9.8.6, 9.9.0
  through 9.9.4, 9.9.3-S1 and 9.9.4-S1 on Windows.");

  script_tag(name:"solution", value:"Update to version 9.6-ESV-R10-P1, 9.8.6-P1, 9.9.4-P1 or later.");

  script_xref(name:"URL", value:"https://kb.isc.org/docs/aa-01062");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_full(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
proto = infos["proto"];
location = infos["location"];

if (version =~ "^9\.9\.[0-9]+s[0-9]") {
  if (version_is_equal(version: version, test_version: "9.9.3s1") ||
      version_is_equal(version: version, test_version: "9.9.4s1")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "See advisory", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }
} else {
  if (version_in_range(version: version, test_version: "9.6", test_version2: "9.6.10")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.6-ESV-R10-P1", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }

  if (version_in_range(version: version, test_version: "9.8.0", test_version2: "9.8.6")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.8.6-P1", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }

  if (version_in_range(version: version, test_version: "9.9.0", test_version2: "9.9.4")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.9.4-P1", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }
}

exit(99);