[CVE-2021-25220] DNS Cache Poisoning Vulnerability
CVE-specific actions
-
Assign a CVE identifier: CVE-2021-25220 -
Determine CVSS score: 6.8: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N/E:U/RL:U/RC:C -
Determine the range of BIND versions affected (including the Subscription Edition) -
Determine whether workarounds for the problem exists: No -
Create a draft of the security advisory and put the information above in there (+ add credits) -
Prepare a detailed description of the problem which should include the following by default: - instructions for reproducing the problem (a system test is good enough)
- explanation of code flow which triggers the problem (a system test is not good enough)
-
Prepare a private merge request containing the following items in separate commits: - a test for the issue (may be moved to a separate merge request for deferred merging)
- a fix for the issue
- documentation updates (
CHANGES, release notes, anything else applicable)
-
Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions -
Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff -
Prepare backports of the merge request addressing the problem for all affected (and still maintained + this time also v9.11) BIND branches (backporting might affect the issue's scope and/or description) -
Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch
Release-specific actions
-
Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle -
Reserve a block of CHANGESplaceholders once the complete set of vulnerabilities fixed in a given release cycle is determined -
Ensure the merge requests containing CVE fixes are merged into security-*branches in CVE identifier order
Post-disclosure actions
-
Merge a regression test reproducing the bug into all affected (and still maintained) BIND branches
Report: DNS Cache Poisoning Vulnerability
By Xiang Li from Network and Information Security Laboratory, Tsinghua University On Oct 10, 2021
Overview
We found a vulnerability in the bailiwick checking procedure of your resolver, which allows specific attackers to inject NS records of any domain (even TLDs) into the cache and conduct a DNS cache poisoning attack. The effects of an exploit would be widespread and highly impactful, as this injection could hijack any subdomain under the poisoned domain, including TLDs, e.g., com and net .
Vulnerability Details
When the resolver is configured with a conditional forwarding zone and a forwarder, it will query all domains under the zone targeting the forwarder. For example, we give a brief config file in the following, where queries of any domain under attacker.com will be sent directly to x.x.x.x for resolution. While for the other domains, they are processed by the resolver itself through recursive queries, such as com and victim.com.
options {
recursion yes;
dnssec-validation yes; // this is not sufficient to enable DNSSEC validation - keys are missing!
};
zone "attacker.com" {
type forward;
forwarders { x.x.x.x port 53; };
};If an attacker query A records of x.attacker.com, and the resolver receives a response with an AA flag in the following. The bogus NS records of com will be cached. As a result, queries of any domain under com in the future will be sent directly to the fake name server ns.attacker.com, thus hijacked by attackers.
| Field | Value |
|---|---|
| Question | x.attacker.com A |
| Answer | x.attacker.com A 1.2.3.4 |
| Authority | com NS ns.attacker.com |
Root Cause Analysis
Through source code review, we locate the root cause of the vulnerability.
Specifically, Query.zone is the key to bailiwick checking logic. Any resource records whose name is not under or same as Query.zone during responses processing will be removed.
However, when forwarding, Query.zone is initialized with the "closest" name of NS records following the recursive resolution process.
As for the forwarding zone, there are no directly corresponding NS records. Therefore, for example, when querying attacker.com, Query.zone is com or the root ..
Consequently, the fake domain is under com and ., which is considered to be in-bailiwick.
Proof-of-Concept
We give two exploiting methods and show our real attack videos in the link with password: bind_attack_pre_21.
For ethical considerations, we build the whole DNS testing environment, including the attacker machine, the conditional DNS server, the upstream resolver, and our authoritative server. And we use attacker.attack as an example domain to attack NS records of com.
- If the forwarder
x.x.x.xis held by an attacker, he can return the bogus response directly from the authoritative server. We show our attack steps below, and the video is namedbind_attack_fd.mp4in the folder.- From 00:00, we show the latest BIND version.
- From 00:05, we start BIND.
- From 00:10, we query
github.comand obtain correctcomNSrecords through recursive queries. - From 00:20, we query the forwarded domain
attacker.attackand receive fake comNSrecords. - From 00:28, bingo, fake
comNSrecords are cached successfully.
- If the forwarder
x.x.x.xis not held by an attacker, he should inject the bogus response directly from the off-path. And we leverage the SAD DNS attack to poison the resolver successfully. We show our attack steps below, and the video is namedbind_attack_fu.mp4in the folder.- From 00:00, we show the latest BIND version and Linux version.
- From 00:06, we start BIND.
- From 00:11, we query
github.comand obtain correctcomNSrecords through recursive queries. - From 00:21, we query the forwarded domain
[random_prefix].attacker.attackand start SAD DNS attacks. - From 33:10, bingo, after 1,642 attempts costing 1,970s, fake
comNSrecords are cached successfully.
Threat Surface
We test the latest version 9.16.21, until Oct. 10, 2021, which is vulnerable.
Mitigation
Consider setting Query.zone with the forwarding zone, such as attacker.com .