Bug 1655844 (CVE-2018-5742) - CVE-2018-5742 bind: Crash from assertion error when debug log level is 10 and log entries meet buffer boundary
Summary: CVE-2018-5742 bind: Crash from assertion error when debug log level is 10 and...
Alias: CVE-2018-5742
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1647539 1656998 1662916
Blocks: 1654900
TreeView+ depends on / blocked
Reported: 2018-12-04 04:44 UTC by Sam Fowler
Modified: 2021-02-16 22:43 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-10 10:43:28 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0194 0 None None None 2019-01-29 17:24:40 UTC

Description Sam Fowler 2018-12-04 04:44:46 UTC
The bind package shipped in Red Hat Enterprise Linux 7 from version 9.9.4-65 is vulnerable to an issue when the debug log level is 10 or higher, allowing for remote attackers to cause a crash via crafted queries. This issue is a regression introduced by the backport of the "negative trust anchors" patch included from version 9.9.4-65.

Introduced By:


Comment 7 Scott Gayou 2018-12-07 20:58:51 UTC

This flaw appears to be exploitable only when debug logging is enabled and set to at least a level of 10. As this configuration should be rare in production instances of bind, it is unlikely that most servers will be exploitable. The debug level of the bind server can be checked via the rndc status command, which will return the current trace level as "debug level". A value of 10 or above would most likely make this flaw exploitable.

Comment 8 Scott Gayou 2018-12-07 21:00:51 UTC

Ensure that debug logging is disabled and set to 0. This can be verified on the Bind server by the rndc status command.

Comment 9 Scott Gayou 2018-12-07 21:25:09 UTC
Callflow starts here in resolver.c:

dns_message_logfmtpacket(message, "received packet:\n",

and appears to potentially end with an assert inside of isc_buffer_putstr.

if ((ctx->style.flags & DNS_STYLEFLAG_COMMENTDATA) != 0)
   isc_buffer_putstr(target, ";");

We can get some of these messages via -d 10 passed to named:

named -d 10 -f -g 2> >(grep "received packet:" -A 15)

On a default install of bind, the above command should show you some of these packet dumps (you may have to change permissions of /var/named to avoid some permissions errors). Dropping the debug level down just one level to 9 disables this specific print.

Thus, most likely exploitable, but only on debug configs. I suspect very few bind instances are running with debug logging.

Comment 11 Scott Gayou 2018-12-18 14:03:22 UTC
Looks like this flaw is impacting more than I thought. Going to re-analyze and try to determine if this is exploitable somehow with less than debug 10 logs enabled or if lots of people really like verbose bind logs.

Comment 12 Scott Gayou 2018-12-18 14:17:12 UTC
Unembargoed due to public info being available.

Comment 13 Scott Gayou 2018-12-18 14:28:43 UTC

Comment 14 Sam Fowler 2018-12-19 23:34:24 UTC
External Reference:


Comment 15 errata-xmlrpc 2019-01-29 17:24:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0194 https://access.redhat.com/errata/RHSA-2019:0194

Note You need to log in before you can comment on or make changes to this bug.