1291186 – (CVE-2015-8461) CVE-2015-8461 bind: race condition when handling socket errors can lead to an assertion failure in resolver.c

Bug 1291186 (CVE-2015-8461) - CVE-2015-8461 bind: race condition when handling socket errors can lead to an assertion failure in resolver.c

Summary: CVE-2015-8461 bind: race condition when handling socket errors can lead to an...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2015-8461
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1291911
Blocks:	1291188
TreeView+	depends on / blocked

Reported:	2015-12-14 09:12 UTC by Martin Prpič
Modified:	2023-05-12 14:40 UTC (History)
CC List:	2 users (show)
Fixed In Version:	bind 9.9.8-P2, bind 9.10.3-P2
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-12-15 21:09:49 UTC
Embargoed:

Attachments	(Terms of Use)

Description Martin Prpič 2015-12-14 09:12:28 UTC

The following flaw, reported by ISC, was found in BIND version 9 (9.9.8 through 9.9.8-P1, 9.9.8-S1 through 9.9.8-S2, 9.10.3 through 9.10.3-P1):

Beginning with the September 2015 maintenance releases 9.9.8 and 9.10.3, an error was introduced into BIND 9 which can cause a server to exit after encountering an INSIST assertion failure in resolver.c. This error was introduced with the following patch:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=adbf81335b67be0cebdcf9f1f4fcb38ef4814f4d

An uncommonly occurring condition can cause affected servers to exit with an INSIST failure depending on the outcome of a race condition in resolver.c While difficult to exploit reliably, a malicious party could, through deliberate behavior, significantly increase the probability of encountering the triggering condition, resulting in denial-of-service to clients if successful.

Comment 1 Martin Prpič 2015-12-14 09:13:35 UTC

Acknowledgements:

Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges John O'Brien of the University of Pennsylvania as the original reporter.

Comment 3 Tomas Hoger 2015-12-15 21:02:38 UTC

Public now via upstream advisory.

External References:

https://kb.isc.org/article/AA-01319

Comment 4 Tomas Hoger 2015-12-15 21:08:44 UTC

Created bind tracking bugs for this issue:

Affects: fedora-23 [bug 1291911]

Comment 5 Tomas Hoger 2015-12-15 21:09:49 UTC

No Red Hat product included affected bind versions.

Comment 6 Nick Urbanik 2015-12-17 05:05:47 UTC

Is this not the same vulnerability that caught us yesterday:

16-Dec-2015 03:33:25.000 client: client 10.206.88.22#11109: recursive-clients soft limit exceeded (9904/9900/10000), aborting oldest query
16-Dec-2015 03:33:25.940 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 03:33:25.941 general: exiting (due to assertion failure)
16-Dec-2015 06:29:47.000 client: client 49.199.24.156#43970: recursive-clients soft limit exceeded (9909/9900/10000), aborting oldest query
16-Dec-2015 06:29:47.521 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:29:47.521 general: exiting (due to assertion failure)
16-Dec-2015 06:29:08.000 client: client 10.204.43.127#5035: recursive-clients soft limit exceeded (9907/9900/10000), aborting oldest query
16-Dec-2015 06:29:08.556 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:29:08.556 general: exiting (due to assertion failure)
16-Dec-2015 13:23:39.002 client: client 110.21.91.221#53551: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 13:23:39.817 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 13:23:39.817 general: exiting (due to assertion failure)
16-Dec-2015 13:54:45.000 client: client 10.204.44.161#28244: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 13:54:45.592 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 13:54:45.592 general: exiting (due to assertion failure)
16-Dec-2015 15:44:36.000 client: client 49.195.170.22#18817: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 15:44:36.716 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 15:44:36.716 general: exiting (due to assertion failure)
16-Dec-2015 06:27:36.000 client: client 10.204.247.33#14995: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 06:27:36.613 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:27:36.614 general: exiting (due to assertion failure)
16-Dec-2015 06:50:06.000 client: client 49.195.168.80#59498: recursive-clients soft limit exceeded (9909/9900/10000), aborting oldest query
16-Dec-2015 06:50:06.376 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:50:06.376 general: exiting (due to assertion failure)
16-Dec-2015 11:27:51.008 client: client 58.111.135.165#58059: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 11:27:51.195 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 11:27:51.195 general: exiting (due to assertion failure)
16-Dec-2015 12:54:55.002 client: client 10.204.10.25#10198: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 12:54:55.765 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 12:54:55.765 general: exiting (due to assertion failure)
16-Dec-2015 13:47:52.001 client: client 1.40.136.246#58047: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 13:47:52.285 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 13:47:52.285 general: exiting (due to assertion failure)

This was bind-*9.8.2-0.37.rc1.el6_7.4.x86_64

We have upgraded to bind-*9.8.2-0.37.rc1.el6_7.5.x86_64,
but are you saying that what we see cannot happen?

Comment 7 Tomas Hoger 2015-12-17 08:09:45 UTC

Upstream commit as applied to 9.9.8:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=07970f1c57b61a06f71f0db0ce103bf31ea8f1c9

Comment 8 Fedora Update System 2015-12-19 18:25:04 UTC

bind-9.10.3-7.P2.fc23, bind-dyndb-ldap-8.0-4.fc23, dnsperf-2.0.0.0-19.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-12-22 07:22:51 UTC

bind-9.10.3-7.P2.fc22, bind-dyndb-ldap-7.0-6.fc22, dnsperf-2.0.0.0-19.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.