Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
Control: fixed -1 bind9/1:9.10.6+dfsg-1 Fixed upstream --- 9.10.5rc2 released --- 4578. [security] Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures. (CVE-2017-3137) [RT #44734] signature.asc Description: PGP signature
Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
On Thu, May 11, 2017 at 08:27:57AM +0200, Salvatore Bonaccorso wrote: > On Thu, May 11, 2017 at 08:19:15AM +0200, Salvatore Bonaccorso wrote: > > Hi > > > > Packages for testing can be found at: > > > > https://people.debian.org/~carnil/tmp/bind9/ > > > > (amd64 build only), and attached the debdiff. > > There was an error in those packages and I have removed them again. Corrected version re-uploaded. Regards, Salvatore diff -u bind9-9.9.5.dfsg/bin/named/query.c bind9-9.9.5.dfsg/bin/named/query.c --- bind9-9.9.5.dfsg/bin/named/query.c +++ bind9-9.9.5.dfsg/bin/named/query.c @@ -7325,6 +7325,7 @@ result = query_dns64(client, &fname, rdataset, sigrdataset, dbuf, DNS_SECTION_ANSWER); + noqname = NULL; dns_rdataset_disassociate(rdataset); dns_message_puttemprdataset(client->message, &rdataset); if (result == ISC_R_NOMORE) { diff -u bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db --- bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db +++ bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db @@ -29,6 +29,7 @@ short-dnameDNAME short a.longlonglonglonglonglonglonglonglonglonglonglonglong A 10.0.0.2 long-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong +toolong-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong cname CNAME a.cnamedname cnamedname DNAME target a.target A 10.0.0.3 diff -u bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh --- bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh +++ bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh @@ -56,10 +56,19 @@ if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` -echo "I:checking (too) long dname from recursive" +echo "I:checking (too) long dname from recursive with cached DNAME" +ret=0 +$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cachedtoolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1 +grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking (too) long dname from recursive without cached DNAME" ret=0 -$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.toolong || ret=1 -grep "status: YXDOMAIN" dig.out.ns4.toolong > /dev/null || ret=1 +$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.uncachedtoolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1 +grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog --- bind9-9.9.5.dfsg/debian/changelog +++ bind9-9.9.5.dfsg/debian/changelog @@ -1,3 +1,22 @@ +bind9 (1:9.9.5.dfsg-9+deb8u11) jessie-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Dns64 with "break-dnssec yes;" can result in a assertion failure. +(CVE-2017-3136) (Closes: #860224) + * Prerequisite for CVE-2017-3137 cherry-picked from upstream change #4190. +If not cherry-picking this change the fix for CVE-2017-3137 can cause an +assertion failure to appear in name.c. + * Some chaining (CNAME or DNAME) responses to upstream queries could trigger +assertion failures (CVE-2017-3137) (Closes: #860225) + * Reimplement: Some chaining (CNAME or DNAME) responses to upstream queries +could trigger assertion failures. (CVE-2017-3137) + * Fix regression introduced when handling CNAME to referral below the +current domain + * 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138) +(Closes: #860226) + + -- Salvatore Bonaccorso Thu, 11 May 2017 08:39:19 +0200 + bind9 (1:9.9.5.dfsg-9+deb8u10) jessie-security; urgency=medium * Fix regression caused by the fix for CVE-2016-8864 (closes: #855540). diff -u bind9-9
Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
On Thu, May 11, 2017 at 08:19:15AM +0200, Salvatore Bonaccorso wrote: > Hi > > Packages for testing can be found at: > > https://people.debian.org/~carnil/tmp/bind9/ > > (amd64 build only), and attached the debdiff. There was an error in those packages and I have removed them again. Salvatore
Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
Hi Packages for testing can be found at: https://people.debian.org/~carnil/tmp/bind9/ (amd64 build only), and attached the debdiff. I would appreciate any testing feedback from people mentioning in this bug that they are affected by the issue. Thanks already in advance, Regards, Salvatore diff -u bind9-9.9.5.dfsg/bin/named/query.c bind9-9.9.5.dfsg/bin/named/query.c --- bind9-9.9.5.dfsg/bin/named/query.c +++ bind9-9.9.5.dfsg/bin/named/query.c @@ -7330,6 +7330,7 @@ result = query_dns64(client, &fname, rdataset, sigrdataset, dbuf, DNS_SECTION_ANSWER); + noqname = NULL; dns_rdataset_disassociate(rdataset); dns_message_puttemprdataset(client->message, &rdataset); if (result == ISC_R_NOMORE) { diff -u bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db --- bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db +++ bind9-9.9.5.dfsg/bin/tests/system/dname/ns2/example.db @@ -29,6 +29,7 @@ short-dnameDNAME short a.longlonglonglonglonglonglonglonglonglonglonglonglong A 10.0.0.2 long-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong +toolong-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong cname CNAME a.cnamedname cnamedname DNAME target a.target A 10.0.0.3 diff -u bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh --- bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh +++ bind9-9.9.5.dfsg/bin/tests/system/dname/tests.sh @@ -56,10 +56,19 @@ if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` -echo "I:checking (too) long dname from recursive" +echo "I:checking (too) long dname from recursive with cached DNAME" +ret=0 +$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cachedtoolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1 +grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking (too) long dname from recursive without cached DNAME" ret=0 -$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.toolong || ret=1 -grep "status: YXDOMAIN" dig.out.ns4.toolong > /dev/null || ret=1 +$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.uncachedtoolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1 +grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog --- bind9-9.9.5.dfsg/debian/changelog +++ bind9-9.9.5.dfsg/debian/changelog @@ -1,3 +1,22 @@ +bind9 (1:9.9.5.dfsg-9+deb8u10) jessie-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Dns64 with "break-dnssec yes;" can result in a assertion failure. +(CVE-2017-3136) (Closes: #860224) + * Prerequisite for CVE-2017-3137 cherry-picked from upstream change #4190. +If not cherry-picking this chane the fix for CVE-2017-3137 can causs an +assertion failure to appear in name.c. + * Some chaining (CNAME or DNAME) responses to upstream queries could trigger +assertion failures (CVE-2017-3137) (Closes: #860225) + * Reimplement: Some chaining (CNAME or DNAME) responses to upstream queries +could trigger assertion failures. (CVE-2017-3137) + * Fix regression introduced when handling CNAME to referral below the +current domain + * 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138) +(Closes: #860226) + + -- Salvatore Bonaccorso Thu, 11 May 2017 07:40:56 +0200 + bind9 (1:9.9.5.dfsg-9+deb8u9) jessie-security; urgency=medium * Apply patches from ISC. diff -u bind9-9.9.5.dfsg/lib/dns/resolver.c bind9-9.9.5.dfsg/lib/dns/resolver.c --- bind9-9.9.5.dfsg/lib/dns/resolver.c +++ bind9-9.9.5.dfsg/lib/dns/resolver.c @@ -3821,6 +3821,7 @@ isc_resu
Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
Same here. Multi/redundant DNS servers do not help, the culprit recursive query being sent multiple times by client as each DNS server falls in turn. And multi- firewall/IPS doesn't help catching the faulty packets :-( I may state the obvious, but only workaround so far is (already saved the night a few times): $ cat /etc/cron.d/cve-2017-3137 # Make sure BIND9 has not crashed (cf. CVE-2017-3137) * * * * * root pgrep named >/dev/null || service bind9 restart (not so elegant however) Any hope Debian/Stable BIND gets patched ? (that's a pretty severe DoS vulnerability we have here) Thanks and sincerily, Cédric
Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
Package: bind9 Version: 1:9.9.5.dfsg-9+deb8u10 Followup-For: Bug #860225 Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: 8.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages bind9 depends on: ii adduser3.113+nmu3 ii bind9utils 1:9.9.5.dfsg-9+deb8u10 ii debconf [debconf-2.0] 1.5.56 ii init-system-helpers1.22 ii libbind9-901:9.9.5.dfsg-9+deb8u10 ii libc6 2.19-18+deb8u7 ii libcap21:2.24-8 ii libcomerr2 1.42.12-2+b1 ii libdns100 1:9.9.5.dfsg-9+deb8u10 ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2 ii libisc95 1:9.9.5.dfsg-9+deb8u10 ii libisccc90 1:9.9.5.dfsg-9+deb8u10 ii libisccfg901:9.9.5.dfsg-9+deb8u10 ii libk5crypto3 1.12.1+dfsg-19+deb8u2 ii libkrb5-3 1.12.1+dfsg-19+deb8u2 ii liblwres90 1:9.9.5.dfsg-9+deb8u10 ii libssl1.0.01.0.1t-1+deb8u6 ii libxml22.9.1+dfsg1-5+deb8u4 ii lsb-base 4.1+Debian13+nmu1 ii net-tools 1.60-26+b1 ii netbase5.3 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind9-doc ii dnsutils1:9.9.5.dfsg-9+deb8u10 pn resolvconf pn ufw -- Configuration Files: /etc/bind/named.conf.local changed: // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; // zone di cui ns2 e' slave di ns1 include "/etc/bind/named.conf.local.slave"; //zone di reverse include "/etc/bind/named.conf.local.reverse"; // zone di cui ns2 e' slave di server clienti include "/etc/bind/named.conf.local.slave_ext"; // zone bloccate dall'autority; include "/etc/bind/named.conf.local.bloccati"; // // Aggiungere qui solamente le zone MASTER // zone "acantho.net" IN { type master; file "/etc/bind/master/acantho.net"; }; // * // // le zone seguenti sono interne ad acantho, e devono avere la restrizione: // allow-query { dns-allowed-internal; }; // // zone "acantho.nt" IN { type master; file "/etc/bind/master/acantho.nt"; allow-query { dns-allowed-internal; }; }; zone "acantho.idc" IN { type master; file "/etc/bind/master/acantho.idc"; }; zone "noc.acantho.idc" { type master;// what used to be called "primary" file "/etc/bind/master/noc.acantho.idc"; allow-query { dns-allowed-internal; }; sig-validity-interval 990; }; zone "acantho.sys" { type master;// what used to be called "primary" file "/etc/bind/master/acantho.sys"; allow-query { dns-allowed-internal; }; }; -- debconf information: bind9/different-configuration-file: bind9/start-as-user: bind bind9/run-resolvconf: false root@ns2:/var/log# grep named syslog | grep " 13:1" Apr 27 13:10:23 ns2 named[29566]: rate-limit: would stop limiting NXDOMAIN responses to 213.209.226.5/32 for smg.ultra.brightmail.com (3b7d8bd6) Apr 27 13:10:47 ns2 named[29566]: rate-limit: would continue limiting NXDOMAIN responses to 213.174.182.194/32 for zen.spamhaus.org (393fe905) Apr 27 13:11:05 ns2 named[29566]: rate-limit: would continue limiting NXDOMAIN responses to 77.89.18.196/32 for zen.spamhaus.org (393fe905) Apr 27 13:11:05 ns2 named[29566]: rate-limit: would continue limiting NXDOMAIN responses to 77.89.18.196/32 for sbl.spamhaus.org (393fe6b1) Apr 27 13:11:45 ns2 named[29566]: general: resolver.c:4350: INSIST(fctx->type == ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_rrsig) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_sig)) failed, back trace Apr 27 13:11:45 ns2 named[29566]: general: #0 0x7fcb266dfa00 in ?? Apr 27 13:11:45 ns2 named[29566]: general: #1 0x7fcb248bb8ea in ?? Apr 27 13:11:45 ns2 named[29566]: general: #2 0x7fcb25fa114e in ?? Apr 27 13:11:45 ns2 named[29566]: general: #3 0x7fcb248ddd5b in ?? Apr 27 13:11:45 ns2 named[29566]: general: #4 0x7fcb2428e064 in ?? Apr 27 13:11:45 ns2 named[29566]: general: #5 0x7fcb23c5c62d in ?? Apr 27 13:11:45 ns2 named[29566]: general: exiting (due to assertion failure) This issiue is very critical for us! This event happended twice in three days. Best regards. Luca Galassi Acantho
Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
Hello, Debian Jessie, bind9 9:1:9.9.5.dfsg-9+deb8u10 Same problem, bind gets down after few hours... something has started abusing this vulnerability. 24-Apr-2017 23:21:22.592 resolver.c:4350: INSIST(fctx->type == ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_rrsig) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_sig)) failed, back trace 24-Apr-2017 23:21:22.592 #0 0x7eff74c11a00 in ?? 24-Apr-2017 23:21:22.592 #1 0x7eff72ded8ea in ?? 24-Apr-2017 23:21:22.592 #2 0x7eff744d314e in ?? 24-Apr-2017 23:21:22.592 #3 0x7eff72e0fd5b in ?? 24-Apr-2017 23:21:22.592 #4 0x7eff727c0064 in ?? 24-Apr-2017 23:21:22.592 #5 0x7eff7218e62d in ?? 24-Apr-2017 23:21:22.592 exiting (due to assertion failure) The problem is for us really critical. Thanks in advance, Jan
Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
Source: bind9 Version: 1:9.9.5.dfsg-9 Severity: grave Tags: patch upstream security fixed-upstream Hi, the following vulnerability was published for bind9. CVE-2017-3137[0]: |A response packet can cause a resolver to terminate when processing an |answer containing a CNAME or DNAME If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-3137 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3137 [1] https://kb.isc.org/article/AA-01466 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)