Bug 1702545 (CVE-2019-6467)

Summary: CVE-2019-6467 bind: flaw in nxredirect can cause assertion failure
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, jpopelka, mruprich, msehnout, pemensik, pzhukov, security-response-team, thozza, vonsch, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bind 9.12.4-P1, bind 9.14.1, bind 9.14.2, bind 9.15.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way "nxdomain-redirect" feature was implemented in bind. An attacker could use this flaw on a server with a vulnerable configuration to cause bind to exit, denying service to other clients.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-25 05:21:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1702542    
Attachments:
Description Flags
Patch against bind-9.12.4-P1
none
Patch against bind-9-14-1 none

Description Huzaifa S. Sidhpurwala 2019-04-24 06:03:32 UTC 
As per upstream advisory:

A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally.

The most likely scenario where this might occur is if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible.

An attacker who can deliberately trigger the condition on a server with a vulnerable configuration can cause BIND to exit, denying service to other clients.
Comment 1 Huzaifa S. Sidhpurwala 2019-04-24 06:03:34 UTC 
Acknowledgments:

Name: ISC
Comment 2 Huzaifa S. Sidhpurwala 2019-04-24 06:37:21 UTC 
Statement:

The most common bind configuration which is affected by this flaw is, if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible.
Comment 3 Huzaifa S. Sidhpurwala 2019-04-24 06:37:23 UTC 
Mitigation:

Exploitation of this defect can be effectively prevented by disabling the nxdomain-redirect feature in the nameserver's configuration.
Comment 4 Huzaifa S. Sidhpurwala 2019-04-24 06:41:23 UTC 
Created attachment 1557980 [details]
Patch against bind-9.12.4-P1
Comment 5 Huzaifa S. Sidhpurwala 2019-04-24 06:41:57 UTC 
Created attachment 1557981 [details]
Patch against bind-9-14-1
Comment 8 Huzaifa S. Sidhpurwala 2019-04-25 05:21:02 UTC 
External References:

https://kb.isc.org/docs/cve-2019-6467
Comment 10 msiddiqu 2019-08-22 08:02:20 UTC 
In reply to comment #9:
> New security release available:
> 
> https://ftp.isc.org/isc/bind9/9.14.1/RELEASE-NOTES-bind-9.14.1.html

Another Release note mentioning CVE-2019-6467 fix:

Experimental development branch
9.15.3: https://downloads.isc.org/isc/bind9/9.15.3/RELEASE-NOTES-bind-9.15.3.html