Bug 2216581 (CVE-2023-2829)

Summary: CVE-2023-2829 bind: DNSSEC-Validated cache can be remotely terminated with malformed NSEC record
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: mosvald, pemensik, saroy, sbroz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in BIND. This security flaw occurs when a named instance is configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (synth-from-dnssec) enabled; remote termination can occur using a zone with a malformed NSEC record.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-28 17:41:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2216623, 2216624, 2216625, 2216633, 2216634, 2216635, 2216636, 2216637, 2216638, 2216639, 2216640, 2216641, 2217445, 2217446, 2217447, 2217448    
Bug Blocks: 2216252    

Description Anten Skrabec 2023-06-21 22:24:55 UTC 
A `named` instance configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (`synth-from-dnssec`) enabled can be remotely terminated using a zone with a malformed NSEC record.
This issue affects BIND 9 versions 9.16.8-S1 through 9.16.41-S1 and 9.18.11-S1 through 9.18.15-S1.

https://kb.isc.org/docs/cve-2023-2829
Comment 1 Sandipan Roy 2023-06-22 05:49:11 UTC 
Created bind tracking bugs for this issue:

Affects: fedora-37 [bug 2216623]
Affects: fedora-38 [bug 2216625]


Created dhcp tracking bugs for this issue:

Affects: fedora-37 [bug 2216624]
Comment 3 Petr Menšík 2023-06-22 14:07:44 UTC 
According to upstream article [1] this is only affecting supported preview version. We do not have it in RHEL or even in Fedora. 
That is also why upstream release notes [2] of latest 9.16 does not mention this vulnerability.
We are not affected by this one. In any release or component. Nor have a change to backport.

Can all those bugs be closed?

1. https://kb.isc.org/docs/cve-2023-2829
2. https://downloads.isc.org/isc/bind9/9.16.42/doc/arm/html/notes.html#security-fixes
Comment 6 Product Security DevOps Team 2023-06-28 17:40:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-2829