krb5-subdomain update policy fails to correctly enforce restrictions?
Submitter Dominik George (firstname.lastname@example.org) reports a problem with the krb5-subdomain update policy. If confirmed it sounds as though it would improperly permit update to unauthorized clients.
while debugging a malfunction of our BIND9 setup, we discovered what we consider a security issue in BIND9's GSS-TSIG handling, to be more precise in the handling of nams in the krb5-subdomain update-policy rule.
The following relates to BIND9 9.10.3, but the errornous code is also present in 9.11.
As laid out in the documentation:
This rule takes a Kerberos machine principal (host/machine@REALM) for machine in REALM and converts it to machine.realm allowing the machine to update subdomains of machine.realm. The REALM to be matched is specified in the identity field. The name field should be set to "."
So, the following rule…
grant EXAMPLE.COM krb5-subdomain .
…together with an incoming signed request from the principal host/foo.example.com@EXAMPLE.COM should succedd if, and only if…
- the realm of the client matches EXAMPLE.COM - and -
- the service name matches the string "host" - and -
- the requested name is a subdomain of the principal name.
The code in lib/dns/ssu.c, in case DNS_SSUMATCHTYPE_SUBDOMAINKRB, however, completely lacks the last check. Instead, it checks whether the requested update name is a subdomain of the name in the rule. This check always returns true if configured in line with the docs, which propose always using "." as the rule name.
Thus, I conclude that the krb5-subdomain check, along with the ms-subdomain check, is completely ineffective.
I verified that, in fact, the above rule allows anyone with a host/*@EXAMPLE.COM principal to update arbitrary DNS records.
As a bonus, the krb5-self and krb5-subdomain check types are out of sync (with each other, and with the docs) in that krb5-subdomain does check the requested name against the rule name, and krb5-self doesn't, and the docs say both don't. It should probably be removed in or added to both. Also, according to the docs, the realm fro mthe signer's principal is appended to the machine name from the client principal - which is not the case either.
If this is correct and quoted, please refer to Dominik George and Thorsten Glaser, and to the sponsors Teckids e.V. and tarent solutions GmbH.
We are preparing and testing a patch.
-- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296
Dominik George · Hundeshagenstr. 26 · 53225 Bonn Phone: +49 228 92934581 · https://www.dominik-george.de/
Teckids e.V. · FrOSCon e.V. · Debian Developer
LPIC-3 Linux Enterprise Professional (Security)