Bug 1385450 (CVE-2016-2848)

Summary: CVE-2016-2848 bind: assertion failure triggered by a packet with malformed options
Product: [Other] Security Response Reporter: Dhiru Kholia <dkholia>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dkholia, fweimer, security-response-team, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20161020,reported=20160928,source=internet,cvss2=5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P,cvss3=7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-617,rhel-4/bind=wontfix,rhel-5/bind=affected,rhel-5/bind97=affected,rhel-6/bind=affected,rhel-6.2.z/bind=affected,rhel-6.4.z/bind=affected,rhel-6.5.z/bind=affected,rhel-6.6.z/bind=affected,rhel-6.7.z/bind=affected,rhel-7/bind=notaffected,fedora-all/bind=notaffected,fedora-all/bind99=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way BIND handled packets with malformed options. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS packet.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-25 10:42:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1385452, 1385453, 1385454, 1385455, 1386548, 1386549, 1386550, 1386551, 1386552    
Bug Blocks: 1383236    

Description Dhiru Kholia 2016-10-17 05:02:43 UTC
A packet with a malformed options section can be used to deliberately trigger an assertion failure affecting versions of BIND which do not contain change #3548.

A server vulnerable to this defect can be forced to exit with an assertion failure if it receives a malformed packet. Authoritative and recursive servers are both vulnerable.

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=CHANGES has more information on change #3548. The commit corresponding to this change is https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=4adf97c32fcca7d00e5756607fd045f2aab9c3d4.

Comment 14 Tomas Hoger 2016-10-20 18:19:58 UTC
Public now via ISC upstream advisory.

External References:

https://kb.isc.org/article/AA-01433

Comment 15 errata-xmlrpc 2016-10-20 19:20:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2016:2094 https://rhn.redhat.com/errata/RHSA-2016-2094.html

Comment 16 errata-xmlrpc 2016-10-20 20:40:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2016:2093 https://rhn.redhat.com/errata/RHSA-2016-2093.html

Comment 17 errata-xmlrpc 2016-10-25 08:48:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support
  Red Hat Enterprise Linux 6.6 Extended Update Support
  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.4 Advanced Update Support
  Red Hat Enterprise Linux 6.2 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Telco Extended Update Support

Via RHSA-2016:2099 https://rhn.redhat.com/errata/RHSA-2016-2099.html