Bug 2064514 (CVE-2022-0635)

Summary: CVE-2022-0635 bind: Lookups involving a DNAME could trigger an assertion failure when 'synth-from-dnssec' was enabled (which is the default)
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anon.amish, dns-sig, jorton, mosvald, mruprich, pavel, pemensik, security-response-team, vonsch, yozone, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: bind 9.18.1 Doc Type: If docs needed, set a value
Doc Text:
An assertion check flaw was found in BIND, with a refactoration of RFC 8198 Aggressive Use of the DNSSEC-Validated Cache feature (synth-from-dnssec). The repeated patterns of specific queries to servers with this feature enabled could cause an INSIST failure in query.c:query_dname, which results in unexpected termination. This flaw allows a remote attacker to use a series of specific queries to trigger a failed assertion check that causes the named process to terminate, leading to a denial of service.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-06 13:27:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 2064517    

Description TEJ RATHI 2022-03-16 04:42:13 UTC
We refactored the RFC 8198 Aggressive Use of DNSSEC-Validated Cache feature (synth-from-dnssec) for the new BIND 9.18.0 stable release, and changed the default so that is now automatically enabled for dnssec-validating resolvers. Subsequently it was found that repeated patterns of specific queries to servers with this feature enabled could cause an INSIST failure in query.c:query_dname which causes named to terminate unexpectedly.

The vulnerability affects BIND resolvers running 9.18.0 that have both dnssec-validation and synth-from-dnssec enabled. (Note that dnssec-validation auto; is the default setting unless configured otherwise in named.conf and that enabling dnssec-validation automatically enables synth-from-dnssec unless explicitly disabled)

Comment 4 Product Security DevOps Team 2022-04-06 13:27:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):