Bug 1655844 (CVE-2018-5742) - CVE-2018-5742 bind: Crash from assertion error when debug log level is 10 and log entries meet buffer boundary
Summary: CVE-2018-5742 bind: Crash from assertion error when debug log level is 10 and...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-5742
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1647539 1656998 1662916
Blocks: 1654900
TreeView+ depends on / blocked
 
Reported: 2018-12-04 04:44 UTC by Sam Fowler
Modified: 2022-03-13 16:19 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:43:28 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0194 0 None None None 2019-01-29 17:24:40 UTC

Description Sam Fowler 2018-12-04 04:44:46 UTC 
The bind package shipped in Red Hat Enterprise Linux 7 from version 9.9.4-65 is vulnerable to an issue when the debug log level is 10 or higher, allowing for remote attackers to cause a crash via crafted queries. This issue is a regression introduced by the backport of the "negative trust anchors" patch included from version 9.9.4-65.


Introduced By:

https://bugzilla.redhat.com/show_bug.cgi?id=1452091
Comment 7 Scott Gayou 2018-12-07 20:58:51 UTC 
Statement:

This flaw appears to be exploitable only when debug logging is enabled and set to at least a level of 10. As this configuration should be rare in production instances of bind, it is unlikely that most servers will be exploitable. The debug level of the bind server can be checked via the rndc status command, which will return the current trace level as "debug level". A value of 10 or above would most likely make this flaw exploitable.
Comment 8 Scott Gayou 2018-12-07 21:00:51 UTC 
Mitigation:

Ensure that debug logging is disabled and set to 0. This can be verified on the Bind server by the rndc status command.
Comment 9 Scott Gayou 2018-12-07 21:25:09 UTC 
Callflow starts here in resolver.c:

```
dns_message_logfmtpacket(message, "received packet:\n",
DNS_LOGCATEGORY_RESOLVER,
DNS_LOGMODULE_PACKETS,
&dns_master_style_comment,
ISC_LOG_DEBUG(10),
fctx->res->mctx);
```

and appears to potentially end with an assert inside of isc_buffer_putstr.

```
if ((ctx->style.flags & DNS_STYLEFLAG_COMMENTDATA) != 0)
   isc_buffer_putstr(target, ";");
```

We can get some of these messages via -d 10 passed to named:

```
named -d 10 -f -g 2> >(grep "received packet:" -A 15)
```

On a default install of bind, the above command should show you some of these packet dumps (you may have to change permissions of /var/named to avoid some permissions errors). Dropping the debug level down just one level to 9 disables this specific print.

Thus, most likely exploitable, but only on debug configs. I suspect very few bind instances are running with debug logging.
Comment 11 Scott Gayou 2018-12-18 14:03:22 UTC 
Looks like this flaw is impacting more than I thought. Going to re-analyze and try to determine if this is exploitable somehow with less than debug 10 logs enabled or if lots of people really like verbose bind logs.
Comment 12 Scott Gayou 2018-12-18 14:17:12 UTC 
Unembargoed due to public info being available.
Comment 13 Scott Gayou 2018-12-18 14:28:43 UTC 
https://bugs.centos.org/view.php?id=15528
Comment 14 Sam Fowler 2018-12-19 23:34:24 UTC 
External Reference:

https://www.openwall.com/lists/oss-security/2018/12/19/6
Comment 15 errata-xmlrpc 2019-01-29 17:24:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0194 https://access.redhat.com/errata/RHSA-2019:0194
Note You need to log in before you can comment on or make changes to this bug.