Bug 1702545 (CVE-2019-6467) - CVE-2019-6467 bind: flaw in nxredirect can cause assertion failure
Summary: CVE-2019-6467 bind: flaw in nxredirect can cause assertion failure
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-6467
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1702542
TreeView+ depends on / blocked
 
Reported: 2019-04-24 06:03 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-02-16 22:04 UTC (History)
10 users (show)

Fixed In Version: bind 9.12.4-P1, bind 9.14.1, bind 9.14.2, bind 9.15.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way "nxdomain-redirect" feature was implemented in bind. An attacker could use this flaw on a server with a vulnerable configuration to cause bind to exit, denying service to other clients.
Clone Of:
Environment:
Last Closed: 2019-04-25 05:21:40 UTC


Attachments (Terms of Use)
Patch against bind-9.12.4-P1 (14.22 KB, patch)
2019-04-24 06:41 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff
Patch against bind-9-14-1 (14.31 KB, patch)
2019-04-24 06:41 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff

Description Huzaifa S. Sidhpurwala 2019-04-24 06:03:32 UTC
As per upstream advisory:

A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally.

The most likely scenario where this might occur is if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible.

An attacker who can deliberately trigger the condition on a server with a vulnerable configuration can cause BIND to exit, denying service to other clients.

Comment 1 Huzaifa S. Sidhpurwala 2019-04-24 06:03:34 UTC
Acknowledgments:

Name: ISC

Comment 2 Huzaifa S. Sidhpurwala 2019-04-24 06:37:21 UTC
Statement:

The most common bind configuration which is affected by this flaw is, if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible.

Comment 3 Huzaifa S. Sidhpurwala 2019-04-24 06:37:23 UTC
Mitigation:

Exploitation of this defect can be effectively prevented by disabling the nxdomain-redirect feature in the nameserver's configuration.

Comment 4 Huzaifa S. Sidhpurwala 2019-04-24 06:41:23 UTC
Created attachment 1557980 [details]
Patch against bind-9.12.4-P1

Comment 5 Huzaifa S. Sidhpurwala 2019-04-24 06:41:57 UTC
Created attachment 1557981 [details]
Patch against bind-9-14-1

Comment 8 Huzaifa S. Sidhpurwala 2019-04-25 05:21:02 UTC
External References:

https://kb.isc.org/docs/cve-2019-6467

Comment 10 msiddiqu 2019-08-22 08:02:20 UTC
In reply to comment #9:
> New security release available:
> 
> https://ftp.isc.org/isc/bind9/9.14.1/RELEASE-NOTES-bind-9.14.1.html

Another Release note mentioning CVE-2019-6467 fix:

Experimental development branch
9.15.3: https://downloads.isc.org/isc/bind9/9.15.3/RELEASE-NOTES-bind-9.15.3.html


Note You need to log in before you can comment on or make changes to this bug.