Bug 1441125 (CVE-2017-3136) - CVE-2017-3136 bind: Incorrect error handling causes assertion failure when using DNS64 with "break-dnssec yes;"
Summary: CVE-2017-3136 bind: Incorrect error handling causes assertion failure when us...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-3136
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1441616 1441617 1441916 1441917 1442980 1442981
Blocks: 1441140
TreeView+ depends on / blocked
 
Reported: 2017-04-11 09:34 UTC by Adam Mariš
Modified: 2021-02-17 02:21 UTC (History)
6 users (show)

Fixed In Version: bind 9.9.9-P8, bind 9.10.4-P8, bind 9.11.0-P5
Doc Type: If docs needed, set a value
Doc Text:
A denial of service flaw was found in the way BIND handled query requests when using DNS64 with "break-dnssec yes" option. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:10:09 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3003871 0 None None None 2017-04-18 05:12:42 UTC
Red Hat Product Errata RHSA-2017:1095 0 normal SHIPPED_LIVE Important: bind security update 2017-04-19 10:28:30 UTC
Red Hat Product Errata RHSA-2017:1105 0 normal SHIPPED_LIVE Important: bind security update 2017-04-20 16:54:03 UTC

Description Adam Mariš 2017-04-11 09:34:14 UTC
A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met.

Servers are at risk if they are configured to use DNS64 and if the option "break-dnssec yes;" is in use.

External References:

https://kb.isc.org/article/AA-01465

Mitigation:

Servers which have configurations which require DNS64 and "break-dnssec yes;" should upgrade.  Servers which are not using these features in conjunction are not at risk from this defect.

Comment 1 Adam Mariš 2017-04-11 09:34:20 UTC
Acknowledgments:

Name: ISC
Upstream: Oleg Gorokhov (Yandex)

Comment 3 Dhiru Kholia 2017-04-13 05:40:43 UTC
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1441916]

Comment 4 Dhiru Kholia 2017-04-13 05:40:50 UTC
Created bind99 tracking bugs for this issue:

Affects: fedora-all [bug 1441917]

Comment 7 errata-xmlrpc 2017-04-19 06:28:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1095 https://access.redhat.com/errata/RHSA-2017:1095

Comment 8 errata-xmlrpc 2017-04-20 12:54:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1105 https://access.redhat.com/errata/RHSA-2017:1105


Note You need to log in before you can comment on or make changes to this bug.