Bug 1291186 (CVE-2015-8461)

Summary: CVE-2015-8461 bind: race condition when handling socket errors can lead to an assertion failure in resolver.c
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: nicku, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bind 9.9.8-P2, bind 9.10.3-P2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-15 21:09:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1291911    
Bug Blocks: 1291188    

Description Martin Prpič 2015-12-14 09:12:28 UTC 
The following flaw, reported by ISC, was found in BIND version 9 (9.9.8 through 9.9.8-P1, 9.9.8-S1 through 9.9.8-S2, 9.10.3 through 9.10.3-P1):

Beginning with the September 2015 maintenance releases 9.9.8 and 9.10.3, an error was introduced into BIND 9 which can cause a server to exit after encountering an INSIST assertion failure in resolver.c. This error was introduced with the following patch:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=adbf81335b67be0cebdcf9f1f4fcb38ef4814f4d

An uncommonly occurring condition can cause affected servers to exit with an INSIST failure depending on the outcome of a race condition in resolver.c While difficult to exploit reliably, a malicious party could, through deliberate behavior, significantly increase the probability of encountering the triggering condition, resulting in denial-of-service to clients if successful.
Comment 1 Martin Prpič 2015-12-14 09:13:35 UTC 
Acknowledgements:

Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges John O'Brien of the University of Pennsylvania as the original reporter.
Comment 3 Tomas Hoger 2015-12-15 21:02:38 UTC 
Public now via upstream advisory.

External References:

https://kb.isc.org/article/AA-01319
Comment 4 Tomas Hoger 2015-12-15 21:08:44 UTC 
Created bind tracking bugs for this issue:

Affects: fedora-23 [bug 1291911]
Comment 5 Tomas Hoger 2015-12-15 21:09:49 UTC 
No Red Hat product included affected bind versions.
Comment 6 Nick Urbanik 2015-12-17 05:05:47 UTC 
Is this not the same vulnerability that caught us yesterday:

16-Dec-2015 03:33:25.000 client: client 10.206.88.22#11109: recursive-clients soft limit exceeded (9904/9900/10000), aborting oldest query
16-Dec-2015 03:33:25.940 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 03:33:25.941 general: exiting (due to assertion failure)
16-Dec-2015 06:29:47.000 client: client 49.199.24.156#43970: recursive-clients soft limit exceeded (9909/9900/10000), aborting oldest query
16-Dec-2015 06:29:47.521 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:29:47.521 general: exiting (due to assertion failure)
16-Dec-2015 06:29:08.000 client: client 10.204.43.127#5035: recursive-clients soft limit exceeded (9907/9900/10000), aborting oldest query
16-Dec-2015 06:29:08.556 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:29:08.556 general: exiting (due to assertion failure)
16-Dec-2015 13:23:39.002 client: client 110.21.91.221#53551: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 13:23:39.817 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 13:23:39.817 general: exiting (due to assertion failure)
16-Dec-2015 13:54:45.000 client: client 10.204.44.161#28244: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 13:54:45.592 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 13:54:45.592 general: exiting (due to assertion failure)
16-Dec-2015 15:44:36.000 client: client 49.195.170.22#18817: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 15:44:36.716 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 15:44:36.716 general: exiting (due to assertion failure)
16-Dec-2015 06:27:36.000 client: client 10.204.247.33#14995: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 06:27:36.613 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:27:36.614 general: exiting (due to assertion failure)
16-Dec-2015 06:50:06.000 client: client 49.195.168.80#59498: recursive-clients soft limit exceeded (9909/9900/10000), aborting oldest query
16-Dec-2015 06:50:06.376 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:50:06.376 general: exiting (due to assertion failure)
16-Dec-2015 11:27:51.008 client: client 58.111.135.165#58059: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 11:27:51.195 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 11:27:51.195 general: exiting (due to assertion failure)
16-Dec-2015 12:54:55.002 client: client 10.204.10.25#10198: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 12:54:55.765 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 12:54:55.765 general: exiting (due to assertion failure)
16-Dec-2015 13:47:52.001 client: client 1.40.136.246#58047: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 13:47:52.285 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 13:47:52.285 general: exiting (due to assertion failure)

This was bind-*9.8.2-0.37.rc1.el6_7.4.x86_64

We have upgraded to bind-*9.8.2-0.37.rc1.el6_7.5.x86_64,
but are you saying that what we see cannot happen?
Comment 7 Tomas Hoger 2015-12-17 08:09:45 UTC 
Upstream commit as applied to 9.9.8:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=07970f1c57b61a06f71f0db0ce103bf31ea8f1c9
Comment 8 Fedora Update System 2015-12-19 18:25:04 UTC 
bind-9.10.3-7.P2.fc23, bind-dyndb-ldap-8.0-4.fc23, dnsperf-2.0.0.0-19.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2015-12-22 07:22:51 UTC 
bind-9.10.3-7.P2.fc22, bind-dyndb-ldap-7.0-6.fc22, dnsperf-2.0.0.0-19.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.