Bug 1291186 - (CVE-2015-8461) CVE-2015-8461 bind: race condition when handling socket errors can lead to an assertion failure in resolver.c
CVE-2015-8461 bind: race condition when handling socket errors can lead to an...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151215,repor...
: Security
Depends On: 1291911
Blocks: 1291188
  Show dependency treegraph
 
Reported: 2015-12-14 04:12 EST by Martin Prpič
Modified: 2016-01-22 04:29 EST (History)
2 users (show)

See Also:
Fixed In Version: bind 9.9.8-P2, bind 9.10.3-P2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-15 16:09:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Prpič 2015-12-14 04:12:28 EST
The following flaw, reported by ISC, was found in BIND version 9 (9.9.8 through 9.9.8-P1, 9.9.8-S1 through 9.9.8-S2, 9.10.3 through 9.10.3-P1):

Beginning with the September 2015 maintenance releases 9.9.8 and 9.10.3, an error was introduced into BIND 9 which can cause a server to exit after encountering an INSIST assertion failure in resolver.c. This error was introduced with the following patch:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=adbf81335b67be0cebdcf9f1f4fcb38ef4814f4d

An uncommonly occurring condition can cause affected servers to exit with an INSIST failure depending on the outcome of a race condition in resolver.c While difficult to exploit reliably, a malicious party could, through deliberate behavior, significantly increase the probability of encountering the triggering condition, resulting in denial-of-service to clients if successful.
Comment 1 Martin Prpič 2015-12-14 04:13:35 EST
Acknowledgements:

Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges John O'Brien of the University of Pennsylvania as the original reporter.
Comment 3 Tomas Hoger 2015-12-15 16:02:38 EST
Public now via upstream advisory.

External References:

https://kb.isc.org/article/AA-01319
Comment 4 Tomas Hoger 2015-12-15 16:08:44 EST
Created bind tracking bugs for this issue:

Affects: fedora-23 [bug 1291911]
Comment 5 Tomas Hoger 2015-12-15 16:09:49 EST
No Red Hat product included affected bind versions.
Comment 6 Nick Urbanik 2015-12-17 00:05:47 EST
Is this not the same vulnerability that caught us yesterday:

16-Dec-2015 03:33:25.000 client: client 10.206.88.22#11109: recursive-clients soft limit exceeded (9904/9900/10000), aborting oldest query
16-Dec-2015 03:33:25.940 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 03:33:25.941 general: exiting (due to assertion failure)
16-Dec-2015 06:29:47.000 client: client 49.199.24.156#43970: recursive-clients soft limit exceeded (9909/9900/10000), aborting oldest query
16-Dec-2015 06:29:47.521 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:29:47.521 general: exiting (due to assertion failure)
16-Dec-2015 06:29:08.000 client: client 10.204.43.127#5035: recursive-clients soft limit exceeded (9907/9900/10000), aborting oldest query
16-Dec-2015 06:29:08.556 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:29:08.556 general: exiting (due to assertion failure)
16-Dec-2015 13:23:39.002 client: client 110.21.91.221#53551: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 13:23:39.817 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 13:23:39.817 general: exiting (due to assertion failure)
16-Dec-2015 13:54:45.000 client: client 10.204.44.161#28244: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 13:54:45.592 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 13:54:45.592 general: exiting (due to assertion failure)
16-Dec-2015 15:44:36.000 client: client 49.195.170.22#18817: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 15:44:36.716 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 15:44:36.716 general: exiting (due to assertion failure)
16-Dec-2015 06:27:36.000 client: client 10.204.247.33#14995: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 06:27:36.613 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:27:36.614 general: exiting (due to assertion failure)
16-Dec-2015 06:50:06.000 client: client 49.195.168.80#59498: recursive-clients soft limit exceeded (9909/9900/10000), aborting oldest query
16-Dec-2015 06:50:06.376 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:50:06.376 general: exiting (due to assertion failure)
16-Dec-2015 11:27:51.008 client: client 58.111.135.165#58059: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 11:27:51.195 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 11:27:51.195 general: exiting (due to assertion failure)
16-Dec-2015 12:54:55.002 client: client 10.204.10.25#10198: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 12:54:55.765 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 12:54:55.765 general: exiting (due to assertion failure)
16-Dec-2015 13:47:52.001 client: client 1.40.136.246#58047: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 13:47:52.285 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 13:47:52.285 general: exiting (due to assertion failure)

This was bind-*9.8.2-0.37.rc1.el6_7.4.x86_64

We have upgraded to bind-*9.8.2-0.37.rc1.el6_7.5.x86_64,
but are you saying that what we see cannot happen?
Comment 8 Fedora Update System 2015-12-19 13:25:04 EST
bind-9.10.3-7.P2.fc23, bind-dyndb-ldap-8.0-4.fc23, dnsperf-2.0.0.0-19.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2015-12-22 02:22:51 EST
bind-9.10.3-7.P2.fc22, bind-dyndb-ldap-7.0-6.fc22, dnsperf-2.0.0.0-19.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.