Bug 1613595 (CVE-2018-5740)

Summary: CVE-2018-5740 bind: processing of certain records when "deny-answer-aliases" is in use may trigger an assert leading to a denial of service
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anon.amish, bmcclain, dblechte, dfediuck, eedri, jpopelka, mgoldboi, michal.skrivanek, mruprich, msehnout, pemensik, pzhukov, sbonazzo, security-response-team, sherold, thozza, vonsch, yozone, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bind 9.9.13-P1, bind 9.10.8-P1, bind 9.11.4-P1, bind 9.12.2-P1, bind 9.11.3-S3 Doc Type: If docs needed, set a value
Doc Text:
A denial of service flaw was discovered in bind versions that include the "deny-answer-aliases" feature. This flaw may allow a remote attacker to trigger an INSIST assert in named leading to termination of the process and a denial of service condition.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:35:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1613976, 1613977, 1613978, 1614040, 1614041, 1614042    
Bug Blocks: 1613599    

Description Sam Fowler 2018-08-08 00:29:07 UTC 
BIND through versions 9.8.8, 9.9.13, 9.10.8, 9.11.4, 9.12.2 and 9.13.2 have a flaw in the "deny-answer-aliases" feature that can cause an INSIST assertion failure in named. A remote attacker could exploit this to cause named to crash.

Only servers which have explicitly enabled the "deny-answer-aliases" feature are at risk and disabling the feature prevents exploitation.
Comment 1 Sam Fowler 2018-08-08 00:29:13 UTC 
Acknowledgments:

Name: ISC
Upstream: Tony Finch (University of Cambridge)
Comment 2 Tomas Hoger 2018-08-08 07:11:36 UTC 
Note that upstream notes version 9.7.0 as the first version affected by this flaw, as that's when deny-answer-aliases feature was added.
Comment 9 Scott Gayou 2018-08-08 17:43:14 UTC 
Mitigation:

Disabling the "deny-answer-aliases" configuration option should prevent exploitation.
Comment 10 Scott Gayou 2018-08-08 17:54:11 UTC 
Statement:

The "deny-answer-aliases" configuration option is not enabled in default configurations of bind. Upstream states that this option is very rarely used. As such, if customers have not specifically enabled this option in configurations, the risk should be mitigated.
Comment 11 Scott Gayou 2018-08-08 21:31:22 UTC 
Unembargoing due to unembargo from upstream (https://lists.isc.org/pipermail/bind-announce/2018-August/001098.html)
Comment 12 Scott Gayou 2018-08-08 21:31:34 UTC 
External References:

https://kb.isc.org/article/AA-01639/74/CVE-2018-5740
Comment 13 Scott Gayou 2018-08-08 21:33:17 UTC 
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1614040]


Created bind99 tracking bugs for this issue:

Affects: fedora-all [bug 1614041]
Comment 16 Doran Moppert 2018-08-10 06:18:31 UTC 
Red Hat Virtualization only ships client-side / library portions of bind, which do not include this flaw.
Comment 17 Doran Moppert 2018-08-10 06:24:44 UTC 
Upstream patches:

https://gitlab.isc.org/isc-projects/bind9/merge_requests/607/commits
Comment 21 errata-xmlrpc 2018-08-27 15:17:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2571 https://access.redhat.com/errata/RHSA-2018:2571
Comment 22 errata-xmlrpc 2018-08-27 15:32:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2570 https://access.redhat.com/errata/RHSA-2018:2570