Synology-SA-17:24 BIND

Publish Time: 2017-06-30 00:00:00 UTC+8

Last Updated: 2017-09-08 16:24:26 UTC+8

Severity
Important
Status
Resolved

Abstract

CVE-2017-3142 allows remote attacker to circumvent TSIG authentication and view the entire contents of a zone on the vulnerable DNS Server.

CVE-2017-3143 allows remote attacker to forge a valid signature for a dynamic update and manipulate malicious zone content on the vulnerable DNS Server.

Severity

Important

CVSSv3 Base Score: 7.5

Affected

  • Products

    • DNS Server 2.2.x before 2.2.1-3050, 1.2.x before 1.2.0-0131 and 1.x before 1.1-0301

  • Models

    • All Synology models

Description

  • CVE-2017-3142
    An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into:

    • providing an AXFR of a zone to an unauthorized recipient
    • accepting bogus NOTIFY packets

  • CVE-2017-3143
    An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update.

Mitigation

You can follow the steps as below to prevent suffering attack if using TISG authentication in Slave Zone.

  • Creating a new slave zone

    1. In Zones tab, press Create button and choose slave zone on the menu.
    2. Tick Limit source ip service box and press Source IP List button.
    3. Press Create button on the top of region.
    4. Choose Single IP host or Subnet.
    5. If you chose Single IP host, enter a legal IP address in IP address field.
      For example, enter 192.168.1.100 if you allow another DNS server 192.168.1.100 to transfer zone to your DNS server
    6. If you chose Subnet, enter a legal subnet in IP address field and netmask in Subnet mask.
      For example, enter 192.168.1.0 in IP address field and 255.255.255.0 in Subnet mask if you allow all DNS servers which in IP range in 192.168.1.0 ~ 192.168.1.255 to transfer zone to your DNS server
    7. Repeat step 5 ~ 6 to add legal IP sources.
    8. Press OK to save the option, then press finish to close whitelist settings.
    9. Press OK to save a new slave zone.

  • Edit an existing slave zone

    1. In Zones tab, press Edit button and choose Zone settings on the menu.
    2. Follow the step 2 ~ 9 in Creating a new slave zone section.

Update Availability

To fix the security issue, please go to DSM > Package Center and update DNS Server to 2.2.1-3051 or above.

References