Bug 1315690 (CVE-2016-2088)

Summary: CVE-2016-2088 bind: malformed packet containing multiple cookie options can trigger assertion failure
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: gagriogi, security-response-team, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bind 9.10.3-P4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-15 12:37:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1316445    
Bug Blocks: 1315695    

Description Martin Prpič 2016-03-08 12:22:22 UTC 
The following flaw, reported by ISC, was found in BIND 9.10:

BIND 9.10 has preliminary support for DNS cookies (or source identity tokens), a proposed mechanism designed to allow lightweight transaction security between a querying party and a nameserver. An error in the BIND code implementing support for this optional feature permits a deliberately misconstructed packet containing multiple cookie options to cause named to terminate with an INSIST assertion failure in resolver.c if DNS cookie support is enabled in the server. Only servers with DNS cookie support enabled at build time can be affected by this defect; in servers which do not have DNS cookie support selected any cookies encountered will be ignored as unknown option types.

Servers which are built with DNS cookie support enabled are vulnerable to denial of service if an attacker can cause them to receive and process a response that contains multiple cookie options.

External References:

https://kb.isc.org/article/AA-01351
Comment 1 Martin Prpič 2016-03-08 12:22:26 UTC 
Acknowledgments:

Name: ISC
Comment 3 Huzaifa S. Sidhpurwala 2016-03-10 09:12:08 UTC 
Public via:

https://kb.isc.org/article/AA-01351
Comment 4 Huzaifa S. Sidhpurwala 2016-03-10 09:36:16 UTC 
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1316445]
Comment 5 Tomas Hoger 2016-03-15 08:57:45 UTC 
Upstream commit:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956
Comment 6 Stefan Cornelius 2016-03-15 12:37:30 UTC 
Statement:

This issue did not affect the versions of bind97 as shipped with Red Hat Enterprise Linux 5 and bind as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include support for DNS cookies.