Bug 1655844 (CVE-2018-5742)
Summary: | CVE-2018-5742 bind: Crash from assertion error when debug log level is 10 and log entries meet buffer boundary | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abhgupta, anon.amish, dbaker, fweimer, jokerman, jpopelka, mruprich, msehnout, mvanderw, pemensik, pzhukov, redhat-bugzilla, security-response-team, sthangav, thozza, trankin, vonsch, yozone, zdohnal |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:43:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1647539, 1656998, 1662916 | ||
Bug Blocks: | 1654900 |
Description
Sam Fowler
2018-12-04 04:44:46 UTC
Statement: This flaw appears to be exploitable only when debug logging is enabled and set to at least a level of 10. As this configuration should be rare in production instances of bind, it is unlikely that most servers will be exploitable. The debug level of the bind server can be checked via the rndc status command, which will return the current trace level as "debug level". A value of 10 or above would most likely make this flaw exploitable. Mitigation: Ensure that debug logging is disabled and set to 0. This can be verified on the Bind server by the rndc status command. Callflow starts here in resolver.c: ``` dns_message_logfmtpacket(message, "received packet:\n", DNS_LOGCATEGORY_RESOLVER, DNS_LOGMODULE_PACKETS, &dns_master_style_comment, ISC_LOG_DEBUG(10), fctx->res->mctx); ``` and appears to potentially end with an assert inside of isc_buffer_putstr. ``` if ((ctx->style.flags & DNS_STYLEFLAG_COMMENTDATA) != 0) isc_buffer_putstr(target, ";"); ``` We can get some of these messages via -d 10 passed to named: ``` named -d 10 -f -g 2> >(grep "received packet:" -A 15) ``` On a default install of bind, the above command should show you some of these packet dumps (you may have to change permissions of /var/named to avoid some permissions errors). Dropping the debug level down just one level to 9 disables this specific print. Thus, most likely exploitable, but only on debug configs. I suspect very few bind instances are running with debug logging. Looks like this flaw is impacting more than I thought. Going to re-analyze and try to determine if this is exploitable somehow with less than debug 10 logs enabled or if lots of people really like verbose bind logs. Unembargoed due to public info being available. External Reference: https://www.openwall.com/lists/oss-security/2018/12/19/6 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0194 https://access.redhat.com/errata/RHSA-2019:0194 |