openSUSE Security Update : bind (openSUSE-2020-1699)

Medium Nessus Plugin ID 141560

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 7.1

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for bind fixes the following issues :

BIND was upgraded to version 9.16.6 :

Note :

- bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC.

Fixing security issues :

- CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain.

- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure.
(bsc#1171740)

- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051).

- CVE-2018-5741: Fixed the documentation (bsc#1109160).

- CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958).

- CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958).

- CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443).

- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443).

- CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443).

- CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443).

- CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443).

Other issues fixed :

- Add engine support to OpenSSL EdDSA implementation.

- Add engine support to OpenSSL ECDSA implementation.

- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.

- Warn about AXFR streams with inconsistent message IDs.

- Make ISC rwlock implementation the default again.

- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)

- Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)

- Fixed an issue where bind was not working in FIPS mode (bsc#906079).

- Fixed dependency issues (bsc#1118367 and bsc#1118368).

- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).

- Fixed an issue with FIPS (bsc#1128220).

- The liblwres library is discontinued upstream and is no longer included.

- Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).

- Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.

- The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.

- Zone timers are now exported via statistics channel.

- The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.

- 'rndc dnstap -roll <value>' did not limit the number of saved files to <value>.

- Add 'rndc dnssec -status' command.

- Addressed a couple of situations where named could crash.

- Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf]

- Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).

- Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail.
(bsc#1173311, bsc#1176674, bsc#1170713)

- /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313]

- Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092).

- Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon.

This update was imported from the SUSE:SLE-15:Update update project.

Solution

Update the affected bind packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1100369

https://bugzilla.opensuse.org/show_bug.cgi?id=1109160

https://bugzilla.opensuse.org/show_bug.cgi?id=1118367

https://bugzilla.opensuse.org/show_bug.cgi?id=1118368

https://bugzilla.opensuse.org/show_bug.cgi?id=1128220

https://bugzilla.opensuse.org/show_bug.cgi?id=1156205

https://bugzilla.opensuse.org/show_bug.cgi?id=1157051

https://bugzilla.opensuse.org/show_bug.cgi?id=1161168

https://bugzilla.opensuse.org/show_bug.cgi?id=1170667

https://bugzilla.opensuse.org/show_bug.cgi?id=1170713

https://bugzilla.opensuse.org/show_bug.cgi?id=1171313

https://bugzilla.opensuse.org/show_bug.cgi?id=1171740

https://bugzilla.opensuse.org/show_bug.cgi?id=1172958

https://bugzilla.opensuse.org/show_bug.cgi?id=1173307

https://bugzilla.opensuse.org/show_bug.cgi?id=1173311

https://bugzilla.opensuse.org/show_bug.cgi?id=1173983

https://bugzilla.opensuse.org/show_bug.cgi?id=1175443

https://bugzilla.opensuse.org/show_bug.cgi?id=1176092

https://bugzilla.opensuse.org/show_bug.cgi?id=1176674

https://bugzilla.opensuse.org/show_bug.cgi?id=906079

https://features.opensuse.org/325524

Plugin Details

Severity: Medium

ID: 141560

File Name: openSUSE-2020-1699.nasl

Version: 1.2

Type: local

Agent: unix

Published: 2020/10/20

Updated: 2020/10/22

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 7.1

CVSS Score Source: CVE-2020-8624

CVSS v2.0

Base Score: 4

Temporal Score: 3.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 4.3

Temporal Score: 3.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:bind, p-cpe:/a:novell:opensuse:bind-chrootenv, p-cpe:/a:novell:opensuse:bind-debuginfo, p-cpe:/a:novell:opensuse:bind-debugsource, p-cpe:/a:novell:opensuse:bind-devel, p-cpe:/a:novell:opensuse:bind-devel-32bit, p-cpe:/a:novell:opensuse:bind-utils, p-cpe:/a:novell:opensuse:bind-utils-debuginfo, p-cpe:/a:novell:opensuse:libbind9-1600, p-cpe:/a:novell:opensuse:libbind9-1600-32bit, p-cpe:/a:novell:opensuse:libbind9-1600-32bit-debuginfo, p-cpe:/a:novell:opensuse:libbind9-1600-debuginfo, p-cpe:/a:novell:opensuse:libdns1605, p-cpe:/a:novell:opensuse:libdns1605-32bit, p-cpe:/a:novell:opensuse:libdns1605-32bit-debuginfo, p-cpe:/a:novell:opensuse:libdns1605-debuginfo, p-cpe:/a:novell:opensuse:libirs-devel, p-cpe:/a:novell:opensuse:libirs1601, p-cpe:/a:novell:opensuse:libirs1601-32bit, p-cpe:/a:novell:opensuse:libirs1601-32bit-debuginfo, p-cpe:/a:novell:opensuse:libirs1601-debuginfo, p-cpe:/a:novell:opensuse:libisc1606, p-cpe:/a:novell:opensuse:libisc1606-32bit, p-cpe:/a:novell:opensuse:libisc1606-32bit-debuginfo, p-cpe:/a:novell:opensuse:libisc1606-debuginfo, p-cpe:/a:novell:opensuse:libisccc1600, p-cpe:/a:novell:opensuse:libisccc1600-32bit, p-cpe:/a:novell:opensuse:libisccc1600-32bit-debuginfo, p-cpe:/a:novell:opensuse:libisccc1600-debuginfo, p-cpe:/a:novell:opensuse:libisccfg1600, p-cpe:/a:novell:opensuse:libisccfg1600-32bit, p-cpe:/a:novell:opensuse:libisccfg1600-32bit-debuginfo, p-cpe:/a:novell:opensuse:libisccfg1600-debuginfo, p-cpe:/a:novell:opensuse:libns1604, p-cpe:/a:novell:opensuse:libns1604-32bit, p-cpe:/a:novell:opensuse:libns1604-32bit-debuginfo, p-cpe:/a:novell:opensuse:libns1604-debuginfo, p-cpe:/a:novell:opensuse:libuv-debugsource, p-cpe:/a:novell:opensuse:libuv-devel, p-cpe:/a:novell:opensuse:libuv1, p-cpe:/a:novell:opensuse:libuv1-32bit, p-cpe:/a:novell:opensuse:libuv1-32bit-debuginfo, p-cpe:/a:novell:opensuse:libuv1-debuginfo, p-cpe:/a:novell:opensuse:python3-bind, p-cpe:/a:novell:opensuse:sysuser-shadow, p-cpe:/a:novell:opensuse:sysuser-tools, cpe:/o:novell:opensuse:15.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2020/10/19

Vulnerability Publication Date: 2019/01/16

Reference Information

CVE: CVE-2017-3136, CVE-2018-5741, CVE-2019-6477, CVE-2020-8616, CVE-2020-8617, CVE-2020-8618, CVE-2020-8619, CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624