Bug 1995312 (CVE-2021-25218) - CVE-2021-25218 bind: Too strict assertion check could be triggered when responses require UDP fragmentation if RRL is in use
Summary: CVE-2021-25218 bind: Too strict assertion check could be triggered when respo...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-25218
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1995313 1995662 1995663 1995664 1995665 1995666 1995667 1995668 1995669 1995670 1995671 1995672 1995673 1995678 1996631
Blocks: 1995314
TreeView+ depends on / blocked
 
Reported: 2021-08-18 19:34 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-10-28 12:31 UTC (History)
15 users (show)

Fixed In Version: bind 9.16.20, bind 9.17.17, bind 9.16.20-S1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in bind. An assertion failure is triggered, resulting in termination of the named server process, if named attempts to respond over UDP with a response that is larger than the current effective interface maximum transmission unit (MTU), and if response-rate limiting (RRL) is active. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-10-28 12:31:48 UTC


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-08-18 19:34:42 UTC
If named attempts to respond over UDP with a response that is larger than the current effective interface maximum transmission unit (MTU), and if response-rate limiting (RRL) is active, an assertion failure is triggered (resulting in termination of the named server process).

Reference:
https://kb.isc.org/docs/cve-2021-25218

Comment 1 Guilherme de Almeida Suckevicz 2021-08-18 19:35:01 UTC
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1995313]

Comment 2 Riccardo Schirone 2021-08-19 09:52:10 UTC
oss-security email:
https://seclists.org/oss-sec/2021/q3/112

Comment 4 Riccardo Schirone 2021-08-19 13:09:45 UTC
Upstream issue:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2839

Comment 5 Riccardo Schirone 2021-08-19 13:19:20 UTC
According to the upstream patch and the linked issue, the reachable assertion seems to be in lib/ns/client.c:ns_client_error()

```
void
ns_client_error(ns_client_t *client, isc_result_t result) {
	[...]
	/*
	 * Try to rate limit error responses.
	 */
	if (client->view != NULL && client->view->rrl != NULL) {
		bool wouldlog;
		char log_buf[DNS_RRL_LOG_BUF_LEN];
		dns_rrl_result_t rrl_result;
		int loglevel;

		INSIST(rcode != dns_rcode_noerror && rcode != dns_rcode_nxdomain);   // REACHABLE ASSERTION
	[...]
}
```

Comment 6 Riccardo Schirone 2021-08-19 13:32:00 UTC
libns was exported as a separate library from bin/named in https://gitlab.isc.org/bshastry/bind9/-/commit/8eb88aafee951859264e36c315b1289cd8c2088b . The same INSIST assertion can be found in previous versions in bin/named/client.c:ns_client_error().

The code in ns_client_error() function was first introduced with https://gitlab.isc.org/isc-projects/bind9/-/commit/55e5c51e661e23e24573db84114a3837817745c9 , which adds support for DNS Response Rate Limiting (DNS RRL).

Comment 12 Petr Špaček 2021-08-20 09:00:38 UTC
FTR libns is meant only for BIND-internal use.

Comment 14 Riccardo Schirone 2021-08-20 13:21:52 UTC
As explained in https://gitlab.isc.org/isc-projects/bind9/commit/15996f0cb15631b95a801e3e88928494a69ad6ee , ns_client_error() was supposed to be called with a failure rcode and never with dns_rcode_noerror (nor dns_rcode_nxdomain). However due to https://gitlab.isc.org/isc-projects/bind9/commit/82a81287f9d5845450d692398a6c24e0f9c0a19c#3601b983e9bdb916e8f6d2263823c5ea9826bc38_286_298 some code paths were overriding the rcode value to be dns_rcode_noerror.

For this reason, versions of bind without commit 82a81287f9d5845450d692398a6c24e0f9c0a19c or `rcode_override` field cannot trigger the assertion in ns_client_error(), even if the function and the assertion are still in the code base.


Note You need to log in before you can comment on or make changes to this bug.