Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1441125 (CVE-2017-3136)

Summary: CVE-2017-3136 bind: Incorrect error handling causes assertion failure when using DNS64 with "break-dnssec yes;"
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apmukher, jaeshin, pemensik, security-response-team, slawomir, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bind 9.9.9-P8, bind 9.10.4-P8, bind 9.11.0-P5 Doc Type: If docs needed, set a value
Doc Text:
A denial of service flaw was found in the way BIND handled query requests when using DNS64 with "break-dnssec yes" option. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:10:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1441616, 1441617, 1441916, 1441917, 1442980, 1442981    
Bug Blocks:    

Description Adam Mariš 2017-04-11 09:34:14 UTC
A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met.

Servers are at risk if they are configured to use DNS64 and if the option "break-dnssec yes;" is in use.

External References:

https://kb.isc.org/article/AA-01465

Mitigation:

Servers which have configurations which require DNS64 and "break-dnssec yes;" should upgrade.  Servers which are not using these features in conjunction are not at risk from this defect.

Comment 1 Adam Mariš 2017-04-11 09:34:20 UTC
Acknowledgments:

Name: ISC
Upstream: Oleg Gorokhov (Yandex)

Comment 3 Dhiru Kholia 2017-04-13 05:40:43 UTC
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1441916]

Comment 4 Dhiru Kholia 2017-04-13 05:40:50 UTC
Created bind99 tracking bugs for this issue:

Affects: fedora-all [bug 1441917]

Comment 7 errata-xmlrpc 2017-04-19 06:28:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1095 https://access.redhat.com/errata/RHSA-2017:1095

Comment 8 errata-xmlrpc 2017-04-20 12:54:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1105 https://access.redhat.com/errata/RHSA-2017:1105