Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
Control: fixed -1 bind9/1:9.10.6+dfsg-1 Fixed upstream --- 9.10.5rc2 released --- 4578. [security] Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures. (CVE-2017-3137) [RT #44734] signature.asc Description: PGP signature
Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
On Thu, May 11, 2017 at 08:27:57AM +0200, Salvatore Bonaccorso wrote:
> On Thu, May 11, 2017 at 08:19:15AM +0200, Salvatore Bonaccorso wrote:
> > Hi
> >
> > Packages for testing can be found at:
> >
> > https://people.debian.org/~carnil/tmp/bind9/
> >
> > (amd64 build only), and attached the debdiff.
>
> There was an error in those packages and I have removed them again.
Corrected version re-uploaded.
Regards,
Salvatore
diff -u bind9-9.9.5.dfsg/bin/named/query.c bind9-9.9.5.dfsg/bin/named/query.c
--- bind9-9.9.5.dfsg/bin/named/query.c
+++ bind9-9.9.5.dfsg/bin/named/query.c
@@ -7325,6 +7325,7 @@
result = query_dns64(client, &fname, rdataset,
sigrdataset, dbuf,
DNS_SECTION_ANSWER);
+ noqname = NULL;
dns_rdataset_disassociate(rdataset);
dns_message_puttemprdataset(client->message, &rdataset);
if (result == ISC_R_NOMORE) {
diff -u bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db
bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db
--- bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db
+++ bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db
@@ -29,6 +29,7 @@
short-dnameDNAME short
a.longlonglonglonglonglonglonglonglonglonglonglonglong A 10.0.0.2
long-dname DNAME
longlonglonglonglonglonglonglonglonglonglonglonglong
+toolong-dname DNAME
longlonglonglonglonglonglonglonglonglonglonglonglong
cname CNAME a.cnamedname
cnamedname DNAME target
a.target A 10.0.0.3
diff -u bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh
bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh
--- bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh
+++ bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh
@@ -56,10 +56,19 @@
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
-echo "I:checking (too) long dname from recursive"
+echo "I:checking (too) long dname from recursive with cached DNAME"
+ret=0
+$DIG
01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example
@10.53.0.4 a -p 5300 > dig.out.ns4.cachedtoolong || ret=1
+grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1
+grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong >
/dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking (too) long dname from recursive without cached DNAME"
ret=0
-$DIG
01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example
@10.53.0.4 a -p 5300 > dig.out.ns4.toolong || ret=1
-grep "status: YXDOMAIN" dig.out.ns4.toolong > /dev/null || ret=1
+$DIG
01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example
@10.53.0.4 a -p 5300 > dig.out.ns4.uncachedtoolong || ret=1
+grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1
+grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong >
/dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog
--- bind9-9.9.5.dfsg/debian/changelog
+++ bind9-9.9.5.dfsg/debian/changelog
@@ -1,3 +1,22 @@
+bind9 (1:9.9.5.dfsg-9+deb8u11) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Dns64 with "break-dnssec yes;" can result in a assertion failure.
+(CVE-2017-3136) (Closes: #860224)
+ * Prerequisite for CVE-2017-3137 cherry-picked from upstream change #4190.
+If not cherry-picking this change the fix for CVE-2017-3137 can cause an
+assertion failure to appear in name.c.
+ * Some chaining (CNAME or DNAME) responses to upstream queries could trigger
+assertion failures (CVE-2017-3137) (Closes: #860225)
+ * Reimplement: Some chaining (CNAME or DNAME) responses to upstream queries
+could trigger assertion failures. (CVE-2017-3137)
+ * Fix regression introduced when handling CNAME to referral below the
+current domain
+ * 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138)
+(Closes: #860226)
+
+ -- Salvatore Bonaccorso Thu, 11 May 2017 08:39:19 +0200
+
bind9 (1:9.9.5.dfsg-9+deb8u10) jessie-security; urgency=medium
* Fix regression caused by the fix for CVE-2016-8864 (closes: #855540).
diff -u bind9-9
Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
On Thu, May 11, 2017 at 08:19:15AM +0200, Salvatore Bonaccorso wrote: > Hi > > Packages for testing can be found at: > > https://people.debian.org/~carnil/tmp/bind9/ > > (amd64 build only), and attached the debdiff. There was an error in those packages and I have removed them again. Salvatore
Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
Hi
Packages for testing can be found at:
https://people.debian.org/~carnil/tmp/bind9/
(amd64 build only), and attached the debdiff.
I would appreciate any testing feedback from people mentioning in this
bug that they are affected by the issue.
Thanks already in advance,
Regards,
Salvatore
diff -u bind9-9.9.5.dfsg/bin/named/query.c bind9-9.9.5.dfsg/bin/named/query.c
--- bind9-9.9.5.dfsg/bin/named/query.c
+++ bind9-9.9.5.dfsg/bin/named/query.c
@@ -7330,6 +7330,7 @@
result = query_dns64(client, &fname, rdataset,
sigrdataset, dbuf,
DNS_SECTION_ANSWER);
+ noqname = NULL;
dns_rdataset_disassociate(rdataset);
dns_message_puttemprdataset(client->message, &rdataset);
if (result == ISC_R_NOMORE) {
diff -u bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db
bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db
--- bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db
+++ bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db
@@ -29,6 +29,7 @@
short-dnameDNAME short
a.longlonglonglonglonglonglonglonglonglonglonglonglong A 10.0.0.2
long-dname DNAME
longlonglonglonglonglonglonglonglonglonglonglonglong
+toolong-dname DNAME
longlonglonglonglonglonglonglonglonglonglonglonglong
cname CNAME a.cnamedname
cnamedname DNAME target
a.target A 10.0.0.3
diff -u bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh
bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh
--- bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh
+++ bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh
@@ -56,10 +56,19 @@
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
-echo "I:checking (too) long dname from recursive"
+echo "I:checking (too) long dname from recursive with cached DNAME"
+ret=0
+$DIG
01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example
@10.53.0.4 a -p 5300 > dig.out.ns4.cachedtoolong || ret=1
+grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1
+grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong >
/dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking (too) long dname from recursive without cached DNAME"
ret=0
-$DIG
01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example
@10.53.0.4 a -p 5300 > dig.out.ns4.toolong || ret=1
-grep "status: YXDOMAIN" dig.out.ns4.toolong > /dev/null || ret=1
+$DIG
01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example
@10.53.0.4 a -p 5300 > dig.out.ns4.uncachedtoolong || ret=1
+grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1
+grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong >
/dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog
--- bind9-9.9.5.dfsg/debian/changelog
+++ bind9-9.9.5.dfsg/debian/changelog
@@ -1,3 +1,22 @@
+bind9 (1:9.9.5.dfsg-9+deb8u10) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Dns64 with "break-dnssec yes;" can result in a assertion failure.
+(CVE-2017-3136) (Closes: #860224)
+ * Prerequisite for CVE-2017-3137 cherry-picked from upstream change #4190.
+If not cherry-picking this chane the fix for CVE-2017-3137 can causs an
+assertion failure to appear in name.c.
+ * Some chaining (CNAME or DNAME) responses to upstream queries could trigger
+assertion failures (CVE-2017-3137) (Closes: #860225)
+ * Reimplement: Some chaining (CNAME or DNAME) responses to upstream queries
+could trigger assertion failures. (CVE-2017-3137)
+ * Fix regression introduced when handling CNAME to referral below the
+current domain
+ * 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138)
+(Closes: #860226)
+
+ -- Salvatore Bonaccorso Thu, 11 May 2017 07:40:56 +0200
+
bind9 (1:9.9.5.dfsg-9+deb8u9) jessie-security; urgency=medium
* Apply patches from ISC.
diff -u bind9-9.9.5.dfsg/lib/dns/resolver.c bind9-9.9.5.dfsg/lib/dns/resolver.c
--- bind9-9.9.5.dfsg/lib/dns/resolver.c
+++ bind9-9.9.5.dfsg/lib/dns/resolver.c
@@ -3821,6 +3821,7 @@
isc_resu
Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
Same here. Multi/redundant DNS servers do not help, the culprit recursive query being sent multiple times by client as each DNS server falls in turn. And multi- firewall/IPS doesn't help catching the faulty packets :-( I may state the obvious, but only workaround so far is (already saved the night a few times): $ cat /etc/cron.d/cve-2017-3137 # Make sure BIND9 has not crashed (cf. CVE-2017-3137) * * * * * root pgrep named >/dev/null || service bind9 restart (not so elegant however) Any hope Debian/Stable BIND gets patched ? (that's a pretty severe DoS vulnerability we have here) Thanks and sincerily, Cédric
Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
Package: bind9
Version: 1:9.9.5.dfsg-9+deb8u10
Followup-For: Bug #860225
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
* What outcome did you expect instead?
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 8.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages bind9 depends on:
ii adduser3.113+nmu3
ii bind9utils 1:9.9.5.dfsg-9+deb8u10
ii debconf [debconf-2.0] 1.5.56
ii init-system-helpers1.22
ii libbind9-901:9.9.5.dfsg-9+deb8u10
ii libc6 2.19-18+deb8u7
ii libcap21:2.24-8
ii libcomerr2 1.42.12-2+b1
ii libdns100 1:9.9.5.dfsg-9+deb8u10
ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2
ii libisc95 1:9.9.5.dfsg-9+deb8u10
ii libisccc90 1:9.9.5.dfsg-9+deb8u10
ii libisccfg901:9.9.5.dfsg-9+deb8u10
ii libk5crypto3 1.12.1+dfsg-19+deb8u2
ii libkrb5-3 1.12.1+dfsg-19+deb8u2
ii liblwres90 1:9.9.5.dfsg-9+deb8u10
ii libssl1.0.01.0.1t-1+deb8u6
ii libxml22.9.1+dfsg1-5+deb8u4
ii lsb-base 4.1+Debian13+nmu1
ii net-tools 1.60-26+b1
ii netbase5.3
bind9 recommends no packages.
Versions of packages bind9 suggests:
pn bind9-doc
ii dnsutils1:9.9.5.dfsg-9+deb8u10
pn resolvconf
pn ufw
-- Configuration Files:
/etc/bind/named.conf.local changed:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// zone di cui ns2 e' slave di ns1
include "/etc/bind/named.conf.local.slave";
//zone di reverse
include "/etc/bind/named.conf.local.reverse";
// zone di cui ns2 e' slave di server clienti
include "/etc/bind/named.conf.local.slave_ext";
// zone bloccate dall'autority;
include "/etc/bind/named.conf.local.bloccati";
//
// Aggiungere qui solamente le zone MASTER
//
zone "acantho.net" IN {
type master;
file "/etc/bind/master/acantho.net";
};
// *
//
// le zone seguenti sono interne ad acantho, e devono avere la restrizione:
// allow-query { dns-allowed-internal; };
//
//
zone "acantho.nt" IN {
type master;
file "/etc/bind/master/acantho.nt";
allow-query { dns-allowed-internal; };
};
zone "acantho.idc" IN {
type master;
file "/etc/bind/master/acantho.idc";
};
zone "noc.acantho.idc" {
type master;// what used to be called "primary"
file "/etc/bind/master/noc.acantho.idc";
allow-query { dns-allowed-internal; };
sig-validity-interval 990;
};
zone "acantho.sys" {
type master;// what used to be called "primary"
file "/etc/bind/master/acantho.sys";
allow-query { dns-allowed-internal; };
};
-- debconf information:
bind9/different-configuration-file:
bind9/start-as-user: bind
bind9/run-resolvconf: false
root@ns2:/var/log# grep named syslog | grep " 13:1"
Apr 27 13:10:23 ns2 named[29566]: rate-limit: would stop limiting NXDOMAIN
responses to 213.209.226.5/32 for smg.ultra.brightmail.com (3b7d8bd6)
Apr 27 13:10:47 ns2 named[29566]: rate-limit: would continue limiting NXDOMAIN
responses to 213.174.182.194/32 for zen.spamhaus.org (393fe905)
Apr 27 13:11:05 ns2 named[29566]: rate-limit: would continue limiting NXDOMAIN
responses to 77.89.18.196/32 for zen.spamhaus.org (393fe905)
Apr 27 13:11:05 ns2 named[29566]: rate-limit: would continue limiting NXDOMAIN
responses to 77.89.18.196/32 for sbl.spamhaus.org (393fe6b1)
Apr 27 13:11:45 ns2 named[29566]: general: resolver.c:4350: INSIST(fctx->type
== ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type ==
((dns_rdatatype_t)dns_rdatatype_rrsig) || fctx->type ==
((dns_rdatatype_t)dns_rdatatype_sig)) failed, back trace
Apr 27 13:11:45 ns2 named[29566]: general: #0 0x7fcb266dfa00 in ??
Apr 27 13:11:45 ns2 named[29566]: general: #1 0x7fcb248bb8ea in ??
Apr 27 13:11:45 ns2 named[29566]: general: #2 0x7fcb25fa114e in ??
Apr 27 13:11:45 ns2 named[29566]: general: #3 0x7fcb248ddd5b in ??
Apr 27 13:11:45 ns2 named[29566]: general: #4 0x7fcb2428e064 in ??
Apr 27 13:11:45 ns2 named[29566]: general: #5 0x7fcb23c5c62d in ??
Apr 27 13:11:45 ns2 named[29566]: general: exiting (due to assertion failure)
This issiue is very critical for us!
This event happended twice in three days.
Best regards.
Luca Galassi
Acantho
Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
Hello, Debian Jessie, bind9 9:1:9.9.5.dfsg-9+deb8u10 Same problem, bind gets down after few hours... something has started abusing this vulnerability. 24-Apr-2017 23:21:22.592 resolver.c:4350: INSIST(fctx->type == ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_rrsig) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_sig)) failed, back trace 24-Apr-2017 23:21:22.592 #0 0x7eff74c11a00 in ?? 24-Apr-2017 23:21:22.592 #1 0x7eff72ded8ea in ?? 24-Apr-2017 23:21:22.592 #2 0x7eff744d314e in ?? 24-Apr-2017 23:21:22.592 #3 0x7eff72e0fd5b in ?? 24-Apr-2017 23:21:22.592 #4 0x7eff727c0064 in ?? 24-Apr-2017 23:21:22.592 #5 0x7eff7218e62d in ?? 24-Apr-2017 23:21:22.592 exiting (due to assertion failure) The problem is for us really critical. Thanks in advance, Jan
Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
Source: bind9 Version: 1:9.9.5.dfsg-9 Severity: grave Tags: patch upstream security fixed-upstream Hi, the following vulnerability was published for bind9. CVE-2017-3137[0]: |A response packet can cause a resolver to terminate when processing an |answer containing a CNAME or DNAME If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-3137 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3137 [1] https://kb.isc.org/article/AA-01466 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)
