Bug #37220 for bind9-public: dig verifying malformed RRSIG enters endless loop

Thu, 18 Sep 2014 07:01:11 -0400 Filippo Valsorda <filippo@cloudflare.com> - Ticket created

Subject:	dig verifying malformed RRSIG enters endless loop
Date:	Thu, 18 Sep 2014 12:00:42 +0100
To:	bind-bugs@isc.org
From:	Filippo Valsorda <filippo@cloudflare.com>

If dig +sigchase encounters a RRSIG with inception in the future it will enter a tight endless loop.

This is probably a DoS minor security vulnerability.

It might be worth to check if the same verification code is used in other products that might be affected.

====================================

;; RRset to chase:

cloudflare-secure.net. 30 IN DNSKEY 256 3 13 dNbV354UDSbhpZ2n9Uw8I/A3Q5qFtdLCn4gIB5xXKnS1x2+b3OikUoBi zxoiWXTyug/4aAYewumvX8Yd0AoAaw==

cloudflare-secure.net. 30 IN DNSKEY 257 3 13 /l6y5G5M/wjknrmVmFHE4JIuzVWpypsSvPyEcSGr5LyVFYtG7HnlyjRr mrxdaqqN/9F5jYUbXw9fgY0UZ8mw3w==

;; RRSIG of the RRset to chase:

cloudflare-secure.net. 30 IN RRSIG DNSKEY 13 2 3600 20150317125525 20150317125525 14032 cloudflare-secure.net. It0X7ij2R5uV+Ida9m6eO+NVkqbYGLoj82IVqn6yOO9+xm0WA72tALgt qgRH4qpxB7DUcKvrcmLmRoBqcRfG3Q==

;; DNSKEYset that signs the RRset to chase:

cloudflare-secure.net. 30 IN DNSKEY 256 3 13 dNbV354UDSbhpZ2n9Uw8I/A3Q5qFtdLCn4gIB5xXKnS1x2+b3OikUoBi zxoiWXTyug/4aAYewumvX8Yd0AoAaw==

cloudflare-secure.net. 30 IN DNSKEY 257 3 13 /l6y5G5M/wjknrmVmFHE4JIuzVWpypsSvPyEcSGr5LyVFYtG7HnlyjRr mrxdaqqN/9F5jYUbXw9fgY0UZ8mw3w==

;; RRSIG of the DNSKEYset that signs the RRset to chase:

cloudflare-secure.net. 30 IN RRSIG DNSKEY 13 2 3600 20150317125525 20150317125525 14032 cloudflare-secure.net. It0X7ij2R5uV+Ida9m6eO+NVkqbYGLoj82IVqn6yOO9+xm0WA72tALgt qgRH4qpxB7DUcKvrcmLmRoBqcRfG3Q==

Launch a query to find a RRset of type DS for zone: cloudflare-secure.net.

;; DSset of the DNSKEYset

cloudflare-secure.net. 21599 IN DS 14032 13 2 5FF2E12C473B42291E23A851E75681B2AEA7155A92D2839A586C41A2 88E3729A

;; RRSIG of the DSset of the DNSKEYset

cloudflare-secure.net. 21599 IN RRSIG DS 8 2 86400 20140924175426 20140917164426 32507 net. h+3WQUdF7eT9q/ghf080Dek61lDWHxl4zOnefRMYOK06xKASDA87OR6y RH+T2wc3DHaq2+f+75euPh+DQhpJG1NblrtEr3HNf7MnqiSzSBJceQRg MTTs3MAXRVH9nUUSaDIrOyGc0Py481XKV1kDrWvUV0wm+cfKsiy0+nSW Fa0=

;; WE HAVE MATERIAL, WE NOW DO VALIDATION

;; VERIFYING DNSKEY RRset for cloudflare-secure.net. with DNSKEY:14032: RRSIG validity period has not begun

[...]

Thu, 18 Sep 2014 16:54:07 -0400 Mark Andrews <marka@isc.org> - Correspondence added

Subject:	Re: [ISC-Bugs #37220] dig verifying malformed RRSIG enters endless loop
Date:	Fri, 19 Sep 2014 06:54:02 +1000
To:	bind9-bugs@isc.org
From:	Mark Andrews <marka@isc.org>

In message <rt-3.8.6-2416-1411038072-778.37220-3-0@isc.org>, "Filippo Valsorda via RT" writes: > If dig +sigchase encounters a RRSIG with inception in the future it will > enter a tight endless loop. > > This is probably a DoS minor security vulnerability. > > It might be worth to check if the same verification code is used in other > products that might be affected. +sigchase is off by default at compile time in part because it is contributed code which hasn't had all the bugs removed from it. The validator used in both named and delv has a different design to the one used in dig +sigchase. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org

Thu, 18 Sep 2014 16:54:07 -0400 The RT System itself - Status changed from 'new' to 'open'

Mon, 29 Sep 2014 20:22:35 -0400 Mark Andrews <marka@isc.org> - Taken

Mon, 29 Sep 2014 22:37:13 -0400 Mark Andrews <marka@isc.org> - Queue changed from #6 to #7

Mon, 29 Sep 2014 22:37:13 -0400 Mark Andrews <marka@isc.org> - Given to Nobody in particular

Mon, 29 Sep 2014 22:44:51 -0400 Mark Andrews <marka@isc.org> - Correspondence added

The attached patch should prevent dig looping. It is yet to be reviewed internally.

Subject:

rt37220.patch

Message body not shown because it is not plain text.

Tue, 30 Sep 2014 11:11:19 -0400 Francis Dupont <Francis_Dupont@isc.org> - Taken

Tue, 30 Sep 2014 11:24:18 -0400 Francis Dupont <Francis_Dupont@isc.org> - Given to Mark Andrews <marka@isc.org>

Tue, 30 Sep 2014 17:20:17 -0400 Mark Andrews <marka@isc.org> - Version Fixed 9.9.7,9.9.6(sub),9.10.2,9.11.0 added

Tue, 30 Sep 2014 17:20:17 -0400 Mark Andrews <marka@isc.org> - Queue changed from #7 to #30

Tue, 30 Sep 2014 17:20:17 -0400 Mark Andrews <marka@isc.org> - Given to Nobody in particular

Tue, 21 Oct 2014 20:07:58 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'resolved'

Tue, 02 Aug 2016 17:58:40 -0400 Vicky Risk <vicky@isc.org> - Severity S2 Normal added

Tue, 02 Aug 2016 17:58:40 -0400 Vicky Risk <vicky@isc.org> - Area bug added

Tue, 02 Aug 2016 17:58:40 -0400 Vicky Risk <vicky@isc.org> - Component BIND Utilities added

Wed, 21 Jun 2017 14:36:13 -0400 Brian Conry <bconry@isc.org> - Queue changed from #30 to #6

Mon, 26 Jun 2017 19:38:58 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public

Thu, 03 Aug 2017 21:55:36 -0400 Mark Andrews <marka@isc.org> - Version Fixed 9.9.7,9.9.6(sub),9.10.2,9.11.0 changed to 9.9.7, 9.9.7-S1, 9.10.2, 9.11.0

Created:	Thu, 18 Sep 2014 07:01:11 -0400
Updated:	Thu, 03 Aug 2017 21:55:36 -0400
Closed:	Tue, 21 Oct 2014 20:07:58 -0400

Bug #37220 for bind9-public: dig verifying malformed RRSIG enters endless loop

This bug tracker is no longer active.