Bug 1420193 (CVE-2017-3135) - CVE-2017-3135 bind: Assertion failure when using DNS64 and RPZ Can Lead to Crash
Summary: CVE-2017-3135 bind: Assertion failure when using DNS64 and RPZ Can Lead to Crash
Alias: CVE-2017-3135
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1420199 1420200 1420607 1420608
Blocks: 1420194
TreeView+ depends on / blocked
Reported: 2017-02-08 05:18 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-02-17 02:36 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A denial of service flaw was found in the way BIND handled query responses when both DNS64 and RPZ were used. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure or a null pointer dereference via a specially crafted DNS response.
Clone Of:
Last Closed: 2017-03-07 08:33:46 UTC

Attachments (Terms of Use)
Patch between bind-9.9.9-P6 and bind-9.9.9-P5 (21.29 KB, patch)
2017-02-08 05:50 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2918391 0 None None None 2017-02-10 03:22:59 UTC
Red Hat Product Errata RHSA-2017:0276 0 normal SHIPPED_LIVE Moderate: bind security update 2017-02-15 18:12:04 UTC

Description Huzaifa S. Sidhpurwala 2017-02-08 05:18:43 UTC
As per upstream advisory:

Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer.


Servers utilizing both DNS64 and RPZ are potentially susceptible to encountering this condition.  When this condition occurs, it will result in either an INSIST assertion failure (and subsequent abort) or an attempt to read through a NULL pointer.  On most platforms a NULL pointer read leads to a segmentation fault (SEGFAULT), which causes the process to be terminated.

Only servers which are configured to simultaneously use both Response Policy Zones (RPZ) and DNS64 (a method for synthesizing AAAA records from A records) can be affected by this vulnerability.


While it is possible to avoid the condition by removing either DNS64 or RPZ from the configuration, or by carefully restricting the contents of the policy zone, for an affected configuration the most practical and safest course of action is to upgrade to a version of BIND without this vulnerability.

Comment 1 Huzaifa S. Sidhpurwala 2017-02-08 05:30:42 UTC

Name: ISC
Upstream: Ramesh Damodaran (Infoblox) and Aliaksandr Shubnik (Infoblox)

Comment 2 Huzaifa S. Sidhpurwala 2017-02-08 05:50:27 UTC
Created attachment 1248550 [details]
Patch between bind-9.9.9-P6 and bind-9.9.9-P5

Comment 5 Huzaifa S. Sidhpurwala 2017-02-09 04:24:52 UTC
Public now via upstream advisory.

External References:


Comment 6 Huzaifa S. Sidhpurwala 2017-02-09 04:39:35 UTC
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1420607]

Comment 7 Huzaifa S. Sidhpurwala 2017-02-09 04:39:43 UTC
Created bind99 tracking bugs for this issue:

Affects: fedora-all [bug 1420608]

Comment 15 errata-xmlrpc 2017-02-15 13:12:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0276 https://rhn.redhat.com/errata/RHSA-2017-0276.html

Note You need to log in before you can comment on or make changes to this bug.