Bug 1441133 (CVE-2017-3137)
| Summary: | CVE-2017-3137 bind: Processing a response containing CNAME or DNAME with unusual order can crash resolver | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | Petr Sklenar <psklenar> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | apmukher, dominik.mierzejewski, hagedorn, jaeshin, jiml, mlindner, pemensik, security-response-team, slawomir, slong, swsnyder, vanicekp, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | bind 9.9.9-P8, bind 9.10.4-P8, bind 9.11.0-P5 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A denial of service flaw was found in the way BIND handled a query response containing CNAME or DNAME resource records in an unusual order. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:10:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1441611, 1441612, 1441912, 1441913, 1442957, 1442959, 1455274, 1455275, 1455276, 1455277, 1455278, 1455280 | ||
| Bug Blocks: | 1441140 | ||
|
Description
Adam Mariš
2017-04-11 09:45:09 UTC
Acknowledgments: Name: ISC Created bind tracking bugs for this issue: Affects: fedora-all [bug 1441912] Created bind99 tracking bugs for this issue: Affects: fedora-all [bug 1441913] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1095 https://access.redhat.com/errata/RHSA-2017:1095 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:1105 https://access.redhat.com/errata/RHSA-2017:1105 This fix does not seem to addressed the problem, at least not on RHEL6. Or possibly the fix replaced one fatal bug with another. Before applying update: 20-Apr-2017 09:16:36.407 general: resolver.c:4286: INSIST(fctx->type == ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_rrsig) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_sig)) failed 20-Apr-2017 09:16:36.408 general: exiting (due to assertion failure) After update: 25-Apr-2017 12:51:18.490 general: validator.c:1861: INSIST(rdataset->type == ((dns_rdatatype_t)dns_rdatatype_dnskey)) failed 25-Apr-2017 12:51:18.490 general: exiting (due to assertion failure) I've been contacted by Red Hat's Product Security Team asking for details on how to reproduce this. I should have addressed this in my comment #17 above. I don't know how to reproduce it. I administer several DNS servers that are open to the public, all running on CentOS v6.9/x86_64. After the recent update ( bind-9.8.2-0.62.rc1.el6_9.1.src.rpm ) was released I updated all my servers as soon as possible. Since that time I've been getting the assertion failure in validator.c shown above. I could post my named.conf if that would be helpful, but I can't provide code that would trigger the assertion. Please let me know if I can provide further information. We were also seeing the crash with validator.c. I have rolled back from 9.8.2-0.62.rc1.el6_9.1 to 9.8.2-0.62.rc1.el6.x86_64 and I now stable again. (In reply to Jim Lohiser from comment #20) > We were also seeing the crash with validator.c. I have rolled back from > 9.8.2-0.62.rc1.el6_9.1 to 9.8.2-0.62.rc1.el6.x86_64 and I now stable again. Do you have "dnssec-validation auto" in your configuration? I am advised by Red Hat to change this to "no" to prevent the assertion until they can get a fix released. (In reply to Steve Snyder from comment #22) > (In reply to Jim Lohiser from comment #20) > > We were also seeing the crash with validator.c. I have rolled back from > > 9.8.2-0.62.rc1.el6_9.1 to 9.8.2-0.62.rc1.el6.x86_64 and I now stable again. > > Do you have "dnssec-validation auto" in your configuration? > > I am advised by Red Hat to change this to "no" to prevent the assertion > until they can get a fix released. FWIW, we had another crash even with "dnssec-validation no". (In reply to Sebastian Hagedorn from comment #26) > (In reply to Steve Snyder from comment #22) > > (In reply to Jim Lohiser from comment #20) > > > We were also seeing the crash with validator.c. I have rolled back from > > > 9.8.2-0.62.rc1.el6_9.1 to 9.8.2-0.62.rc1.el6.x86_64 and I now stable again. > > > > Do you have "dnssec-validation auto" in your configuration? > > > > I am advised by Red Hat to change this to "no" to prevent the assertion > > until they can get a fix released. > > FWIW, we had another crash even with "dnssec-validation no". This is not our official mitigation, there isn't any reliable workaround for this issue which we're aware of. The only way is updating bind package. (In reply to Adam Mariš from comment #27) > (In reply to Sebastian Hagedorn from comment #26) > > (In reply to Steve Snyder from comment #22) > > > (In reply to Jim Lohiser from comment #20) > > > > We were also seeing the crash with validator.c. I have rolled back from > > > > 9.8.2-0.62.rc1.el6_9.1 to 9.8.2-0.62.rc1.el6.x86_64 and I now stable again. > > > > > > Do you have "dnssec-validation auto" in your configuration? > > > > > > I am advised by Red Hat to change this to "no" to prevent the assertion > > > until they can get a fix released. > > > > FWIW, we had another crash even with "dnssec-validation no". > > This is not our official mitigation, there isn't any reliable workaround for > this issue which we're aware of. The only way is updating bind package. Thanks, but there is no fixed bind package for RHEL 6, is there? The most recent crash happened with bind-9.8.2-0.62.rc1.el6_9.1. I saw that there is a bind-9.8.2-0.62.rc1.el6_9.2, but the Changelog didn't make it sound like the changes were relevant to this problem. Are you saying that "dnssec-validation no" doesn't help at all, because then I'd revert to "yes". I agree that changelog is not very clear, but bind-9.8.2-0.62.rc1.el6_9.2 is fix for known dnssec validation crashes in bind-9.8.2-0.62.rc1.el6_9.1. (In reply to Petr Menšík from comment #29) > I agree that changelog is not very clear, but bind-9.8.2-0.62.rc1.el6_9.2 is > fix for known dnssec validation crashes in bind-9.8.2-0.62.rc1.el6_9.1. Thanks for the clarification! This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Extended Update Support Via RHSA-2017:1583 https://access.redhat.com/errata/RHSA-2017:1583 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.4 Advanced Update Support Red Hat Enterprise Linux 6.5 Advanced Update Support Red Hat Enterprise Linux 6.5 Telco Extended Update Support Red Hat Enterprise Linux 6.6 Telco Extended Update Support Red Hat Enterprise Linux 6.7 Extended Update Support Red Hat Enterprise Linux 6.6 Advanced Update Support Red Hat Enterprise Linux 6.2 Advanced Update Support Via RHSA-2017:1582 https://access.redhat.com/errata/RHSA-2017:1582 |