Bug 1995312 (CVE-2021-25218)
| Summary: | CVE-2021-25218 bind: Too strict assertion check could be triggered when responses require UDP fragmentation if RRL is in use | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aegorenk, anon.amish, dns-sig, michal.skrivanek, mperina, mruprich, msehnout, nobody, pavel, pemensik, pspacek, rschiron, sbonazzo, vonsch, zdohnal |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | bind 9.16.20, bind 9.17.17, bind 9.16.20-S1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in bind. An assertion failure is triggered, resulting in termination of the named server process, if named attempts to respond over UDP with a response that is larger than the current effective interface maximum transmission unit (MTU), and if response-rate limiting (RRL) is active. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-28 12:31:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1995313, 1995662, 1995663, 1995664, 1995665, 1995666, 1995667, 1995668, 1995669, 1995670, 1995671, 1995672, 1995673, 1995678, 1996631 | ||
| Bug Blocks: | 1995314 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-08-18 19:34:42 UTC
Created bind tracking bugs for this issue: Affects: fedora-all [bug 1995313] oss-security email: https://seclists.org/oss-sec/2021/q3/112 Upstream patches: https://github.com/isc-projects/bind9/commit/513e58d53aff2ade611e56c9ce8c2664ad2488ac https://downloads.isc.org/isc/bind9/9.17.17/patches/CVE-2021-25218.patch https://downloads.isc.org/isc/bind9/9.16.20/patches/CVE-2021-25218.patch Upstream issue: https://gitlab.isc.org/isc-projects/bind9/-/issues/2839 According to the upstream patch and the linked issue, the reachable assertion seems to be in lib/ns/client.c:ns_client_error()
```
void
ns_client_error(ns_client_t *client, isc_result_t result) {
[...]
/*
* Try to rate limit error responses.
*/
if (client->view != NULL && client->view->rrl != NULL) {
bool wouldlog;
char log_buf[DNS_RRL_LOG_BUF_LEN];
dns_rrl_result_t rrl_result;
int loglevel;
INSIST(rcode != dns_rcode_noerror && rcode != dns_rcode_nxdomain); // REACHABLE ASSERTION
[...]
}
```
libns was exported as a separate library from bin/named in https://gitlab.isc.org/bshastry/bind9/-/commit/8eb88aafee951859264e36c315b1289cd8c2088b . The same INSIST assertion can be found in previous versions in bin/named/client.c:ns_client_error(). The code in ns_client_error() function was first introduced with https://gitlab.isc.org/isc-projects/bind9/-/commit/55e5c51e661e23e24573db84114a3837817745c9 , which adds support for DNS Response Rate Limiting (DNS RRL). FTR libns is meant only for BIND-internal use. As explained in https://gitlab.isc.org/isc-projects/bind9/commit/15996f0cb15631b95a801e3e88928494a69ad6ee , ns_client_error() was supposed to be called with a failure rcode and never with dns_rcode_noerror (nor dns_rcode_nxdomain). However due to https://gitlab.isc.org/isc-projects/bind9/commit/82a81287f9d5845450d692398a6c24e0f9c0a19c#3601b983e9bdb916e8f6d2263823c5ea9826bc38_286_298 some code paths were overriding the rcode value to be dns_rcode_noerror. For this reason, versions of bind without commit 82a81287f9d5845450d692398a6c24e0f9c0a19c or `rcode_override` field cannot trigger the assertion in ns_client_error(), even if the function and the assertion are still in the code base. |