On 5 Jun 2023, at 06:19, William Herrin <bill@herrin.us> wrote:
On Sun, Jun 4, 2023 at 7:41 AM Izaac <izaac@setec.org> wrote:
It's not a security update. It's a configuration change.
Hi Izaac,
Perhaps you missed my subsequent message where I pointed out that the IP address is hard-coded in Bind which will use it by default unless configured not to.
It's also not a vulnerability. A vulnerability, as defined by MITRE for CVE is:
"A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability.
At an absolute minimum there's an impact to confidentiality since it causes Bind to announce itself to an IP address that is not a root server. If the user configured bind with DNSSEC validation disabled, it's also a negative impact to integrity and availability since the potential false responder can steer bind away from the true DNS tree.
It announces itself to an address which remains under the control of USC/ISI the current and on going root server operator for b.root-servers.net. So apart from leaking that the root hints have not been updated I don’t see a big risk here. The address block, as has been stated, is in a reserved range for critical infrastructure and, I suspect, has special controls placed on it by ARIN regarding its re-use should USC/ISI ever release it / cease to be a root-server operator. I would hope that ARIN and all the RIRs have the list of current and old root-server addresses and that any block that are being transferred that have one of these addresses are flagged for special consideration. There is already a issue raised for updating the compiled in address. https://gitlab.isc.org/isc-projects/bind9/-/issues/4101 I suspect that most of the distributions that include named will have had or will have similar issues raised. Many distributions include their own set of hints and do not rely on the compiled in set. Named will log any differences between its configured root servers (names and addresses) and those returned when priming.
Like well known default passwords, for which there are many CVEs, it's a vulnerability.
Regards, Bill Herrin
-- William Herrin bill@herrin.us https://bill.herrin.us/
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org