1441125 – (CVE-2017-3136) CVE-2017-3136 bind: Incorrect error handling causes assertion failure when using DNS64 with "break-dnssec yes;"

Bug 1441125 (CVE-2017-3136) - CVE-2017-3136 bind: Incorrect error handling causes assertion failure when using DNS64 with "break-dnssec yes;"

Summary: CVE-2017-3136 bind: Incorrect error handling causes assertion failure when us...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-3136
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1441616 1441617 1441916 1441917 1442980 1442981
Blocks:	1441140
TreeView+	depends on / blocked

Reported:	2017-04-11 09:34 UTC by Adam Mariš
Modified:	2021-02-17 02:21 UTC (History)
CC List:	6 users (show)
Fixed In Version:	bind 9.9.9-P8, bind 9.10.4-P8, bind 9.11.0-P5
Clone Of:
Environment:
Last Closed:	2019-06-08 03:10:09 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	3003871	None	None	None	2017-04-18 05:12:42 UTC
Red Hat Product Errata	RHSA-2017:1095	normal	SHIPPED_LIVE	Important: bind security update	2017-04-19 10:28:30 UTC
Red Hat Product Errata	RHSA-2017:1105	normal	SHIPPED_LIVE	Important: bind security update	2017-04-20 16:54:03 UTC

Description Adam Mariš 2017-04-11 09:34:14 UTC

A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met.

Servers are at risk if they are configured to use DNS64 and if the option "break-dnssec yes;" is in use.

External References:

https://kb.isc.org/article/AA-01465

Mitigation:

Servers which have configurations which require DNS64 and "break-dnssec yes;" should upgrade.  Servers which are not using these features in conjunction are not at risk from this defect.

Comment 1 Adam Mariš 2017-04-11 09:34:20 UTC

Acknowledgments:

Name: ISC
Upstream: Oleg Gorokhov (Yandex)

Comment 3 Dhiru Kholia 2017-04-13 05:40:43 UTC

Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1441916]

Comment 4 Dhiru Kholia 2017-04-13 05:40:50 UTC

Created bind99 tracking bugs for this issue:

Affects: fedora-all [bug 1441917]

Comment 7 errata-xmlrpc 2017-04-19 06:28:47 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1095 https://access.redhat.com/errata/RHSA-2017:1095

Comment 8 errata-xmlrpc 2017-04-20 12:54:28 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1105 https://access.redhat.com/errata/RHSA-2017:1105

Note You need to log in before you can comment on or make changes to this bug.