Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1291186 (CVE-2015-8461)

Summary: CVE-2015-8461 bind: race condition when handling socket errors can lead to an assertion failure in resolver.c
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: nicku, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bind 9.9.8-P2, bind 9.10.3-P2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-15 21:09:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1291911    
Bug Blocks:    

Description Martin Prpič 2015-12-14 09:12:28 UTC
The following flaw, reported by ISC, was found in BIND version 9 (9.9.8 through 9.9.8-P1, 9.9.8-S1 through 9.9.8-S2, 9.10.3 through 9.10.3-P1):

Beginning with the September 2015 maintenance releases 9.9.8 and 9.10.3, an error was introduced into BIND 9 which can cause a server to exit after encountering an INSIST assertion failure in resolver.c. This error was introduced with the following patch:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=adbf81335b67be0cebdcf9f1f4fcb38ef4814f4d

An uncommonly occurring condition can cause affected servers to exit with an INSIST failure depending on the outcome of a race condition in resolver.c While difficult to exploit reliably, a malicious party could, through deliberate behavior, significantly increase the probability of encountering the triggering condition, resulting in denial-of-service to clients if successful.

Comment 1 Martin Prpič 2015-12-14 09:13:35 UTC
Acknowledgements:

Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges John O'Brien of the University of Pennsylvania as the original reporter.

Comment 3 Tomas Hoger 2015-12-15 21:02:38 UTC
Public now via upstream advisory.

External References:

https://kb.isc.org/article/AA-01319

Comment 4 Tomas Hoger 2015-12-15 21:08:44 UTC
Created bind tracking bugs for this issue:

Affects: fedora-23 [bug 1291911]

Comment 5 Tomas Hoger 2015-12-15 21:09:49 UTC
No Red Hat product included affected bind versions.

Comment 6 Nick Urbanik 2015-12-17 05:05:47 UTC
Is this not the same vulnerability that caught us yesterday:

16-Dec-2015 03:33:25.000 client: client 10.206.88.22#11109: recursive-clients soft limit exceeded (9904/9900/10000), aborting oldest query
16-Dec-2015 03:33:25.940 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 03:33:25.941 general: exiting (due to assertion failure)
16-Dec-2015 06:29:47.000 client: client 49.199.24.156#43970: recursive-clients soft limit exceeded (9909/9900/10000), aborting oldest query
16-Dec-2015 06:29:47.521 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:29:47.521 general: exiting (due to assertion failure)
16-Dec-2015 06:29:08.000 client: client 10.204.43.127#5035: recursive-clients soft limit exceeded (9907/9900/10000), aborting oldest query
16-Dec-2015 06:29:08.556 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:29:08.556 general: exiting (due to assertion failure)
16-Dec-2015 13:23:39.002 client: client 110.21.91.221#53551: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 13:23:39.817 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 13:23:39.817 general: exiting (due to assertion failure)
16-Dec-2015 13:54:45.000 client: client 10.204.44.161#28244: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 13:54:45.592 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 13:54:45.592 general: exiting (due to assertion failure)
16-Dec-2015 15:44:36.000 client: client 49.195.170.22#18817: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 15:44:36.716 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 15:44:36.716 general: exiting (due to assertion failure)
16-Dec-2015 06:27:36.000 client: client 10.204.247.33#14995: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 06:27:36.613 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:27:36.614 general: exiting (due to assertion failure)
16-Dec-2015 06:50:06.000 client: client 49.195.168.80#59498: recursive-clients soft limit exceeded (9909/9900/10000), aborting oldest query
16-Dec-2015 06:50:06.376 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 06:50:06.376 general: exiting (due to assertion failure)
16-Dec-2015 11:27:51.008 client: client 58.111.135.165#58059: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 11:27:51.195 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 11:27:51.195 general: exiting (due to assertion failure)
16-Dec-2015 12:54:55.002 client: client 10.204.10.25#10198: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 12:54:55.765 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 12:54:55.765 general: exiting (due to assertion failure)
16-Dec-2015 13:47:52.001 client: client 1.40.136.246#58047: recursive-clients soft limit exceeded (9901/9900/10000), aborting oldest query
16-Dec-2015 13:47:52.285 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
16-Dec-2015 13:47:52.285 general: exiting (due to assertion failure)

This was bind-*9.8.2-0.37.rc1.el6_7.4.x86_64

We have upgraded to bind-*9.8.2-0.37.rc1.el6_7.5.x86_64,
but are you saying that what we see cannot happen?

Comment 8 Fedora Update System 2015-12-19 18:25:04 UTC
bind-9.10.3-7.P2.fc23, bind-dyndb-ldap-8.0-4.fc23, dnsperf-2.0.0.0-19.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-12-22 07:22:51 UTC
bind-9.10.3-7.P2.fc22, bind-dyndb-ldap-7.0-6.fc22, dnsperf-2.0.0.0-19.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.