[afnog] New vulnerability in ISC BIND can cause named to crash

Wed Jan 17 15:24:14 UTC 2018

(Apologies if you already received this note via other mailing lists)

This might be of interest for networks running bind in their 
infrastructure.

Gaël

Forwarded message:

> Subject: [lacnog] New vulnerability in ISC BIND can cause named to 
> crash
> Date: Wed, 17 Jan 2018 12:29:44 -0200
>
> https://kb.isc.org/article/AA-01542
>
>
> CVE-2017-3145: Improper fetch cleanup sequencing in the resolver can
> cause named to crash
>
> Author: ISC Support Reference Number: AA-01542 Views: 6251 Created:
> 2018-01-16 14:25 Last Updated: 2018-01-16 20:24 	0 Rating/ Voters 	
>
> Improper sequencing during cleanup can lead to a use-after-free error,
> triggering an assertion failure and crash in named.
>
> CVE: 		   CVE-2017-3145
> Document Version:  2.0
> Posting date: 	   16 January 2018
> Program Impacted:  BIND
> Versions affected: 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6,
>                    9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1,
>                    9.10.5-S1 to 9.10.6-S1, 9.12.0a1 to 9.12.0rc1
> Severity:          High
> Exploitable: 	   Remotely
>
> Description:
>
> BIND was improperly sequencing cleanup operations on upstream 
> recursion
> fetch contexts, leading in some cases to a use-after-free error that 
> can
> trigger an assertion failure and crash in named.
>
> Impact:
>
> While this bug has existed in BIND since 9.0.0, there are no known 
> code
> paths leading to it in ISC releases prior to those containing the fix
> for CVE-2017-3137.  Thus while all instances of BIND ought to be
> patched, only ISC versions [9.9.9-P8 to 9.9.11, 9.10.4-P8 to 9.10.6,
> 9.11.0-P5 to 9.11.2, 9.9.9-S10 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, 
> and
> 9.12.0a1 to 9.12.0rc1] acting as DNSSEC validating resolvers are
> currently known to crash due to this bug.  The known crash is an
> assertion failure in netaddr.c.
>
> CVSS Score:  7.5
>
> CVSS Vector:  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
>
> For more information on the Common Vulnerability Scoring System and to
> obtain your specific environmental score please visit:
> https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
>
> Workarounds:
>
> If an operator is experiencing crashes due to this, temporarily
> disabling DNSSEC validation can be used to avoid the known problematic
> code path while replacement builds are prepared.
>
> Active exploits:
>
> No known active exploits but crashes due to this bug have been 
> reported
> by multiple parties.
>
> Solution:  Upgrade to the patched release most closely related to your
> current version of BIND.  These can all be downloaded from
> http://www.isc.org/downloads.
>
>     BIND 9 version 9.9.11-P1
>     BIND 9 version 9.10.6-P1
>     BIND 9 version 9.11.2-P1
>     BIND 9 version 9.12.0rc2
>
> BIND Supported Preview Edition is a special feature preview branch of
> BIND provided to eligible ISC support customers.
>
>     BIND 9 version 9.9.11-S2
>     BIND 9 version 9.10.6-S2
>
> Acknowledgements: ISC would like to thank Jayachandran Palanisamy of
> Cygate AB for making us aware of this vulnerability.
>
> Document Revision History:
>
> 1.0 Advance Notification, 09 January 2018
> 1.1 Packager Notification, added acknowledgement,  15 January 2018
> 2.0 Public Release, 16 January 2018
>
> Related Documents:
>
> See our BIND9 Security Vulnerability Matrix at
> https://kb.isc.org/article/AA-00913 for a complete listing of Security
> Vulnerabilities and versions affected.
>
> If you'd like more information on ISC Subscription Support and Advance
> Security Notifications, please visit http://www.isc.org/support/.
>
> Do you still have questions?  Questions regarding this advisory should
> go to security-officer at isc.org.  To report a new issue, please encrypt
> your message using security-officer at isc.org's PGP key which can be 
> found
> here:
> https://www.isc.org/downloads/software-support-policy/openpgp-key/.  
> If
> you are unable to use encrypted email, you may also report new issues
> at: https://www.isc.org/community/report-bug/.
>
> Note: ISC patches only currently supported versions. When possible we
> indicate EOL versions affected.  (For current information on which
> versions are actively supported, please see 
> http://www.isc.org/downloads/).
>
> ISC Security Vulnerability Disclosure Policy:  Details of our current
> security advisory policy and practice can be found here:
> https://kb.isc.org/article/AA-00861/164/ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html
>
> This Knowledge Base article https://kb.isc.org/article/AA-01542 is the
> complete and official security advisory document.
>
> Legal Disclaimer:
>
> Internet Systems Consortium (ISC) is providing this notice on an "AS 
> IS"
> basis. No warranty or guarantee of any kind is expressed in this 
> notice
> and none should be implied. ISC expressly excludes and disclaims any
> warranties regarding this notice or materials referred to in this
> notice, including, without limitation, any implied warranty of
> merchantability, fitness for a particular purpose, absence of hidden
> defects, or of non-infringement. Your use or reliance on this notice 
> or
> materials referred to in this notice is at your own risk. ISC may 
> change
> this notice at any time.  A stand-alone copy or paraphrase of the text
> of this document that omits the document URL is an uncontrolled copy.
> Uncontrolled copies may lack important information, be out of date, or
> contain factual errors.
>
>
> © 2001-2018 Internet Systems Consortium
>
> For assistance with problems and questions for which you have not been
> able to find an answer in our Knowledge Base, we recommend searching 
> our
> community mailing list archives and/or posting your question there 
> (you
> will need to register there first for your posts to be accepted). The
> bind-users and the dhcp-users lists particularly have a long-standing
> and active membership.
>
> ISC relies on the financial support of the community to fund the
> development of its open source software products. If you would like to
> support future product evolution and maintenance as well having peace 
> of
> mind knowing that our team of experts are poised to provide you with
> individual technical assistance whenever you call upon them, then 
> please
> consider our Professional Subscription Support services - details can 
> be
> found on our main website.
> _______________________________________________
> LACNOG mailing list
> LACNOG at lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog