Bug 1655844 (CVE-2018-5742)

Summary: CVE-2018-5742 bind: Crash from assertion error when debug log level is 10 and log entries meet buffer boundary
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, anon.amish, dbaker, fweimer, jokerman, jpopelka, mruprich, msehnout, mvanderw, pemensik, pzhukov, redhat-bugzilla, security-response-team, sthangav, thozza, trankin, vonsch, yozone, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:43:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1647539, 1656998, 1662916    
Bug Blocks: 1654900    

Description Sam Fowler 2018-12-04 04:44:46 UTC 
The bind package shipped in Red Hat Enterprise Linux 7 from version 9.9.4-65 is vulnerable to an issue when the debug log level is 10 or higher, allowing for remote attackers to cause a crash via crafted queries. This issue is a regression introduced by the backport of the "negative trust anchors" patch included from version 9.9.4-65.


Introduced By:

https://bugzilla.redhat.com/show_bug.cgi?id=1452091
Comment 7 Scott Gayou 2018-12-07 20:58:51 UTC 
Statement:

This flaw appears to be exploitable only when debug logging is enabled and set to at least a level of 10. As this configuration should be rare in production instances of bind, it is unlikely that most servers will be exploitable. The debug level of the bind server can be checked via the rndc status command, which will return the current trace level as "debug level". A value of 10 or above would most likely make this flaw exploitable.
Comment 8 Scott Gayou 2018-12-07 21:00:51 UTC 
Mitigation:

Ensure that debug logging is disabled and set to 0. This can be verified on the Bind server by the rndc status command.
Comment 9 Scott Gayou 2018-12-07 21:25:09 UTC 
Callflow starts here in resolver.c:

```
dns_message_logfmtpacket(message, "received packet:\n",
DNS_LOGCATEGORY_RESOLVER,
DNS_LOGMODULE_PACKETS,
&dns_master_style_comment,
ISC_LOG_DEBUG(10),
fctx->res->mctx);
```

and appears to potentially end with an assert inside of isc_buffer_putstr.

```
if ((ctx->style.flags & DNS_STYLEFLAG_COMMENTDATA) != 0)
   isc_buffer_putstr(target, ";");
```

We can get some of these messages via -d 10 passed to named:

```
named -d 10 -f -g 2> >(grep "received packet:" -A 15)
```

On a default install of bind, the above command should show you some of these packet dumps (you may have to change permissions of /var/named to avoid some permissions errors). Dropping the debug level down just one level to 9 disables this specific print.

Thus, most likely exploitable, but only on debug configs. I suspect very few bind instances are running with debug logging.
Comment 11 Scott Gayou 2018-12-18 14:03:22 UTC 
Looks like this flaw is impacting more than I thought. Going to re-analyze and try to determine if this is exploitable somehow with less than debug 10 logs enabled or if lots of people really like verbose bind logs.
Comment 12 Scott Gayou 2018-12-18 14:17:12 UTC 
Unembargoed due to public info being available.
Comment 13 Scott Gayou 2018-12-18 14:28:43 UTC 
https://bugs.centos.org/view.php?id=15528
Comment 14 Sam Fowler 2018-12-19 23:34:24 UTC 
External Reference:

https://www.openwall.com/lists/oss-security/2018/12/19/6
Comment 15 errata-xmlrpc 2019-01-29 17:24:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0194 https://access.redhat.com/errata/RHSA-2019:0194