minvws
Kat dns serverversion
Changes
Adds support for finding DNS Server versions
Issue link
On 23 July 2024 we (Internet Systems Consortium) disclosed four vulnerabilities affecting our BIND 9 software:
- CVE-2024-0760: A flood of DNS messages over TCP may make the server unstable https://kb.isc.org/docs/cve-2024-0760
- CVE-2024-1737: BIND's database will be slow if a very large number of RRs exist at the same name https://kb.isc.org/docs/cve-2024-1737
- CVE-2024-1975: SIG(0) can be used to exhaust CPU resources https://kb.isc.org/docs/cve-2024-1975
- CVE-2024-4076: Assertion failure when serving both stale cache data and authoritative zone content https://kb.isc.org/docs/cve-2024-4076
New versions of BIND 9 are available from https://www.isc.org/downloads
Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific patches in the "patches" subdirectory of each published release directory:
- https://downloads.isc.org/isc/bind9/9.18.28/patches/
With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages that have been prepared may be released.
QA notes
Many authoritative nameservers are still unpatched, use Shodan to find some with a version string and Bind.
Code Checklist
- [ ] All the commits in this PR are properly PGP-signed and verified.
- [ ] This PR only contains functionality relevant to the issue.
- [ ] I have written unit tests for the changes or fixes I made.
- [ ] I have checked the documentation and made changes where necessary.
- [ ] I have performed a self-review of my code and refactored it to the best of my abilities.
- [ ] Tickets have been created for newly discovered issues.
- [ ] For any non-trivial functionality, I have added integration and/or end-to-end tests.
- [ ] I have informed others of any required
.envchanges files if required and changed the.env-distaccordingly. - [ ] I have included comments in the code to elaborate on what is not self-evident from the code itself, including references to issues and discussions online, or implicit behavior of an interface.
Checklist for code reviewers:
Copy-paste the checklist from the docs/source/templates folder into your comment.
Checklist for QA:
Copy-paste the checklist from the docs/source/templates folder into your comment.
N.b. Im not sure about the specific version strings for each of the problematic bind versions yet, as there are no new packages just yet.
Removed the CVE findings output in this plugin as discussed with @underdarknl, as they should preferably be handled by a Bit
Checklist for QA:
- [x] I have checked out this branch, and successfully ran a fresh
make reset. - [x] I confirmed that there are no unintended functional regressions in this branch:
- [x] I have managed to pass the onboarding flow
- [x] Objects and Findings are created properly
- [x] Tasks are created and completed properly
- [ ] I confirmed that the PR's advertised
featureorhotfixworks as intended. - [ ] I checked the logs for errors and/or warnings and made issues where necessary
What works:
General functioning of the application seems to work. Enabling the boefje works.
What doesn't work:
The DNS Server version boefje 'finishes' with the following message in the raw file (for all tested hosts): "Not a DNS service". The normalizer doesn't run because of this message.
Edit: Manually changing line if input_["service"]["name"] != "dns": to 'domain' results in the following error:
Traceback (most recent call last):
File "/app/boefjes/boefjes/local.py", line 58, in run
return boefje_resource.module.run(boefje_meta)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/boefjes/boefjes/plugins/kat_dns_version/main.py", line 32, in run
response = method(query, where=ip, timeout=timeout, port=port)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/dns/query.py", line 1026, in tcp
_connect(s, destination, expiration)
File "/usr/local/lib/python3.11/site-packages/dns/query.py", line 962, in _connect
err = s.connect_ex(address)
^^^^^^^^^^^^^^^^^^^^^
TypeError: 'str' object cannot be interpreted as an integer
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/app/boefjes/boefjes/job_handler.py", line 114, in handle
boefje_results = self.job_runner.run(boefje_meta, boefje_meta.environment)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/boefjes/boefjes/local.py", line 60, in run
raise JobRuntimeError("Boefje failed") from e
boefjes.runtime_interfaces.JobRuntimeError: Boefje failed
Bug or feature?:
See above.
What doesn't work:
The DNS Server version boefje 'finishes' with the following message in the raw file (for all tested hosts): "Not a DNS service". The normalizer doesn't run because of this message.
Edit: Manually changing line
if input_["service"]["name"] != "dns":to 'domain' results in the following error:
Thanks for the QA, will look into this
Checklist for QA:
- [x] I have checked out this branch, and successfully ran a fresh
make reset. - [x] I confirmed that there are no unintended functional regressions in this branch:
- [x] I have managed to pass the onboarding flow
- [x] Objects and Findings are created properly
- [x] Tasks are created and completed properly
- [x] I confirmed that the PR's advertised
featureorhotfixworks as intended. - [x] I checked the logs for errors and/or warnings and made issues where necessary
What works:
Seems to work as expected. I tested against a BIND DNS server and it nicely creates Software and Software Instances for these hostnames.
What doesn't work:
Even though the server version was vulnerable, no findings are created. I discussed this with @ammar92 and this is intended behaviour.
Bug or feature?:
n/a