[CVE-2020-8624] "update-policy" rules of type "subdomain" are enforced incorrectly
Summary
update-policy { grant dev.DOMAIN.TLD subdomain dev.DOMAIN.TLD a aaaa txt; } is not handled correctly
It is also possible to change entries in DOMAIN.TLD
BIND version used
9.16.5 opensuse 9.11.5 debian buster Both exactly the same Problem
Steps to reproduce
Configuration:
include "/etc/bind/dev.key";
zone DOMAIN.TLD {
type master;
file "/var/lib/bind/zones/DOMAIN.TLD";
key-directory "/var/lib/bind/keys";
masterfile-format raw;
update-policy {
grant dhcp zonesub a dhcid;
grant local-ddns zonesub any;
grant dev.DOMAIN.TLD subdomain dev.DOMAIN.TLD a aaaa txt;
};
allow-transfer {
local;
};
};Key
cat /etc/bind/dev.key
key "dev.DOMAIN.TLD" {
algorithm hmac-sha512;
secret "******";
};nsupdate -k dev.key
> server 192.168.122.129
> ttl 3600
> update add test3.dev.DOMAIN.TLD a 192.0.2.3
> send
> update add test.DOMAIN.TLD a 192.0.2.1
> sendJul 28 16:48:59 leap152-bind named[5894]: client @0x7f5718000c80 192.168.122.1#40886/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': adding an RR at 'test3.dev.DOMAIN.de' A 192.0.2.3
Jul 28 16:48:59 leap152-bind named[5894]: zone DOMAIN.de/IN: sending notifies (serial 2020050521)
Jul 28 16:49:07 leap152-bind named[5894]: client @0x7f5718000c80 192.168.122.1#40886/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': adding an RR at 'test.DOMAIN.de' A 192.0.2.1
Jul 28 16:49:07 leap152-bind named[5894]: zone DOMAIN.de/IN: sending notifies (serial 2020050522)What is the current bug behavior?
It is also possible to change entries in DOMAIN.TLD
What is the expected correct behavior?
nsupdate -k dev.key
> server 192.168.122.129
> ttl 3600
> update add test4.dev.DOMAIN.TLD a 192.0.2.4
> send
> update add test4.DOMAIN.TLD a 192.0.2.4
> send
update failed: REFUSEDJul 28 19:55:24 leap152-bind named[7625]: client @0x7ff5580a6970 192.168.122.1#46061/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': adding an RR at 'test4.dev.DOMAIN.de' A 192.0.2.4
Jul 28 19:55:24 leap152-bind named[7625]: zone DOMAIN.de/IN: sending notifies (serial 2020050523)
Jul 28 19:55:38 leap152-bind named[7625]: client @0x7ff5580a6970 192.168.122.1#46061/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': update failed: rejected by secure update (REFUSED)This is seen on:
9.11.2 opensuse
9.10.3 debian stretchRelevant configuration files
zone DOMAIN.TLD {
type master;
file "/var/lib/bind/zones/DOMAIN.TLD";
key-directory "/var/lib/bind/keys";
masterfile-format raw;
update-policy {
grant dhcp zonesub a dhcid;
grant local-ddns zonesub any;
grant dev.DOMAIN.TLD subdomain dev.DOMAIN.TLD a aaaa txt;
};
allow-transfer {
local;
};
};
cat /etc/bind/dev.key
key "dev.DOMAIN.TLD" {
algorithm hmac-sha512;
secret "******";
};Relevant logs and/or screenshots
nsupdate -k dev.key
> server 192.168.122.129
> ttl 3600
> update add test3.dev.DOMAIN.TLD a 192.0.2.3
> send
> update add test.DOMAIN.TLD a 192.0.2.1
> sendJul 28 16:48:59 leap152-bind named[5894]: client @0x7f5718000c80 192.168.122.1#40886/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': adding an RR at 'test3.dev.DOMAIN.de' A 192.0.2.3
Jul 28 16:48:59 leap152-bind named[5894]: zone DOMAIN.de/IN: sending notifies (serial 2020050521)
Jul 28 16:49:07 leap152-bind named[5894]: client @0x7f5718000c80 192.168.122.1#40886/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': adding an RR at 'test.DOMAIN.de' A 192.0.2.1
Jul 28 16:49:07 leap152-bind named[5894]: zone DOMAIN.de/IN: sending notifies (serial 2020050522)Possible fixes
(If you can, link to the line of code that might be responsible for the problem.)
Edited by Michal Nowak