Bug 1441125 – CVE-2017-3136 bind: Incorrect error handling causes assertion failure when using DNS64 with "break-dnssec yes;"

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1441125 - (CVE-2017-3136) CVE-2017-3136 bind: Incorrect error handling causes assertion failure when using DNS64 with "break-dnssec yes;"

Summary:	CVE-2017-3136 bind: Incorrect error handling causes assertion failure when us...

Status:	NEW

Aliases:	CVE-2017-3136

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20170412,repor...
Keywords:	Security

Depends On:	1441616 1441617 1441916 1441917 1442980 1442981
Blocks:	1441140
	Show dependency tree / graph

Reported:	2017-04-11 05:34 EDT by Adam Mariš
Modified:	2018-03-29 18:02 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	bind 9.9.9-P8, bind 9.10.4-P8, bind 9.11.0-P5
Doc Type:	If docs needed, set a value
Doc Text:	A denial of service flaw was found in the way BIND handled query requests when using DNS64 with "break-dnssec yes" option. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	3003871	None	None	None	2017-04-18 01:12 EDT
Red Hat Product Errata	RHSA-2017:1095	normal	SHIPPED_LIVE	Important: bind security update	2017-04-19 06:28:30 EDT
Red Hat Product Errata	RHSA-2017:1105	normal	SHIPPED_LIVE	Important: bind security update	2017-04-20 12:54:03 EDT

Groups: None (edit)

Description Adam Mariš 2017-04-11 05:34:14 EDT

A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met.

Servers are at risk if they are configured to use DNS64 and if the option "break-dnssec yes;" is in use.

External References:

https://kb.isc.org/article/AA-01465

Mitigation:

Servers which have configurations which require DNS64 and "break-dnssec yes;" should upgrade.  Servers which are not using these features in conjunction are not at risk from this defect.

Comment 1 Adam Mariš 2017-04-11 05:34:20 EDT

Acknowledgments:

Name: ISC
Upstream: Oleg Gorokhov (Yandex)

Comment 3 Dhiru Kholia 2017-04-13 01:40:43 EDT

Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1441916]

Comment 4 Dhiru Kholia 2017-04-13 01:40:50 EDT

Created bind99 tracking bugs for this issue:

Affects: fedora-all [bug 1441917]

Comment 7 errata-xmlrpc 2017-04-19 02:28:47 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1095 https://access.redhat.com/errata/RHSA-2017:1095

Comment 8 errata-xmlrpc 2017-04-20 08:54:28 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1105 https://access.redhat.com/errata/RHSA-2017:1105

Note You need to log in before you can comment on or make changes to this bug.