Bug 1315674 (CVE-2016-1285)

Summary: CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anemec, gagriogi, hannsj_uhl, kfujii, moshiro, security-response-team, slawomir, thozza, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bind 9.9.8-P4, bind 9.10.3-P4, bind 9.9.8-S6 Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way BIND processed certain control channel input. A remote attacker able to send a malformed packet to the control channel could use this flaw to cause named to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-06 12:02:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1315717, 1315718, 1315719, 1315720, 1315721, 1315722, 1316445, 1316446, 1318949, 1318950, 1318951, 1322285    
Bug Blocks: 1315695, 1320435, 1322722    

Description Martin Prpič 2016-03-08 12:13:14 UTC 
The following flaw, reported by ISC, was found in BIND:

Testing by ISC has uncovered a defect in control channel input handling which can cause named to exit due to an assertion failure in sexpr.c or alist.c when a malformed packet is sent to named's control channel (the interface which allows named to be controlled using the 'rndc" server control utility).

This assertion occurs before authentication but after network-address-based access controls have been applied. Or in other words: an attacker does not need to have a key or other authentication, but does need to be within the address list specified in the "controls" statement in named.conf which enables the control channel. If no "controls" statement is present in named.conf, named still defaults to listening for control channel information on loopback addresses (127.0.0.1 and ::1) if the file rndc.key is present in the configuration directory and contains a valid key.

A search for similar problems revealed an associated defect in the rndc server control utility whereby a malformed response from the server could cause the rndc program to crash. For completeness, it is being fixed at the same time even though this defect in the rndc utility is not in itself exploitable.

All servers are vulnerable if they accept remote commands on the control channel. Servers which are vulnerable can be stopped by an attacker sending the offending packet if the attacker is sending from a system listed within the address list specified in the "controls" statement (or from localhost if the control channel is using the default address list) resulting in denial of service to clients.

Mitigation:

Restrict access to the control channel (by using the "controls" configuration statement in named.conf) to allow connection only from trusted systems.

Note that if no "controls" statement is present, named defaults to allowing control channel connections only from localhost (127.0.0.1 and ::1) if and only if the file rndc.key exists in the configuration directory and contains valid key syntax. If rndc.key is not present and no "controls" statement is present in named.conf, named will not accept commands on the control channel.

External References:

https://kb.isc.org/article/AA-01352
Comment 1 Martin Prpič 2016-03-08 12:13:19 UTC 
Acknowledgments:

Name: ISC
Comment 5 Huzaifa S. Sidhpurwala 2016-03-10 09:10:28 UTC 
Public via:

https://kb.isc.org/article/AA-01352
Comment 6 Huzaifa S. Sidhpurwala 2016-03-10 09:35:52 UTC 
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1316445]
Comment 7 Huzaifa S. Sidhpurwala 2016-03-10 09:35:58 UTC 
Created bind99 tracking bugs for this issue:

Affects: fedora-all [bug 1316446]
Comment 8 Tomas Hoger 2016-03-15 08:47:21 UTC 
Upstream commit:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=70037e040e587329cec82123e12b9f4f7c945f67
Comment 9 errata-xmlrpc 2016-03-16 12:54:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2016:0458 https://rhn.redhat.com/errata/RHSA-2016-0458.html
Comment 10 errata-xmlrpc 2016-03-16 13:35:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2016:0459 https://rhn.redhat.com/errata/RHSA-2016-0459.html
Comment 13 errata-xmlrpc 2016-03-31 17:57:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Extended Update Support
  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2016:0562 https://rhn.redhat.com/errata/RHSA-2016-0562.html
Comment 14 errata-xmlrpc 2016-04-06 11:17:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support

Via RHSA-2016:0601 https://rhn.redhat.com/errata/RHSA-2016-0601.html