[dns-operations] Wormable RCE in MS Windows DNS Server CVE-2020-1350
Paul Vixie
paul at redbarn.org
Thu Jul 23 02:35:30 UTC 2020
On Thursday, 23 July 2020 01:21:04 UTC Brian Somers wrote:
> ...
>
> So, a resolver that drops or decompresses compressed SIG RRs should
> protect windows, assuming windows doesn’t just go ahead and ask the
> authority directly.
>
> ...
>
> In short, resolvers should disallow compressed RRSIG signers (and may not),
> should decompress SIG signers before regurgitating them to a client, and
> should probably never actually serve them in the first place unless maybe as
> part of an ANY response (I would argue that a response that contains all
> SIGs for all types for a given name is not useful to anybody). If the
> uncompressed SIG overflows the response data to more than 64k, SERVFAIL
> should be returned to the client.
>
> Well, that’s how I see it anyway...
in this case the SIG is not being used for validation by the full resolver,
and its RDATA should be treated there as opaque. which means the stub should
see a garbage RDATA (the 0xc0 bits in the signer name should be interpreted as
ASCII not a label type, or else, interpreted as introducing a 14-bit pointer
into a message that no longer exists, producing either a range error, or ASCII
garbage.)
i think we have to be conservative in what we decompress, and correct in what
we choose (not) to compress. CVE-2020-1350 shows either two or three bugs: one
in the initiator, one in the forwarder, and possibly one in the authority.
--
Paul
More information about the dns-operations
mailing list