Vulnerability Note VU#264212
Recursive DNS resolver implementations may follow referrals infinitely
Original Release date: 09 Dec 2014 | Last revised: 12 Jan 2015

Overview
Recursive DNS resolvers may become stuck following an infinite chain of referrals due to a malicious authoritative server.

Description
RFC 1034 describes the standard technical issues of enabling domain delegations in DNS, but does not provide a specific implementation, leaving DNS servers to provide their own methods to implement RFC 1034. In some implementations of recursive resolvers, a query to a malicious authoritative server may cause the resolver to follow an infinite chain of referrals. Attempting to follow the infinite chain can cause a denial-of-service (DoS) situation on the DNS resolver due to resource exhaustion.
This issue primarily affects recursive resolvers. Additionally, as noted in ISC Security Advisory AA-01216: "Authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone."

Depending on how the resolver handles out-of-bailiwick glue records and performs simultaneous queries, it may also be possible to cause the resolver to perform a DoS attack on a target using DNS traffic.

Impact
A recursive DNS resolver following an infinite chain of referrals can result in high process memory and CPU usage and eventually process termination. The effect can range from increased server response time to clients to complete interruption of the service.

Resolvers that follow multiple referrals at once can cause large bursts of network traffic.

Solution
Apply an update

These issues are addressed by limiting the maximum number of referrals followed and the number of simultaneous queries. See the Vendor Information section below for information about specific vendors.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedEfficientIPAffected11 Dec 201422 Dec 2014
InfobloxAffected24 Nov 201411 Dec 2014
Internet Systems ConsortiumAffected-09 Dec 2014
MaraDNSAffected03 Dec 201412 Jan 2015
NLnet LabsAffected-09 Dec 2014
PowerDNSAffected-09 Dec 2014
CZ NICNot Affected17 Dec 201418 Dec 2014
djbdnsNot Affected03 Dec 201410 Dec 2014
dnsmasqNot Affected03 Dec 201405 Dec 2014
European Registry for Internet DomainsNot Affected17 Dec 201418 Dec 2014
gdnsdNot Affected17 Dec 201418 Dec 2014
GNU adnsNot Affected03 Dec 201417 Dec 2014
GNU glibcNot Affected-18 Dec 2014
Microsoft CorporationNot Affected18 Dec 201429 Dec 2014
NominumNot Affected24 Nov 201409 Dec 2014If you are a vendor and your product is affected, let
us know.View More &raquo

CVSS Metrics (Learn More)

Group
Score
Vector

Base
4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

Temporal
3.4
E:POC/RL:OF/RC:C

Environmental
3.4
CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

https://www.ietf.org/rfc/rfc1034.txt
http://cert.ssi.gouv.fr/site/CERTFR-2014-AVI-512/index.html

Credit

ISC would like to thank Florian Maury (ANSSI) for discovering and reporting this vulnerability.
This document was written by Garret Wassermann.

Other Information

CVE IDs:
CVE-2014-8601
CVE-2014-8500
CVE-2014-8602

Date Public:
08 Dec 2014

Date First Published:
09 Dec 2014

Date Last Updated:
12 Jan 2015

Document Revision:
50

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply