Skip to content
GitLab
Closed
Issue created by Ghost User@ghost

[CVE-2019-6476] bind 9.14 crashes at specific response from forwarders

Summary

When bind 9.14 receives an obviously invalid response from a configured forwarders, it crashes.

DNS format error from 213.133.99.99#53 resolving 74.141.6.213.in-addr.arpa/PTR for client 127.0.0.1#49745: non-improving referral
resolver.c:4932: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed, back trace
#0 0x55b887adf590 in ??
#1 0x7fce15ae853a in ??
#2 0x7fce1648fddb in ??
#3 0x7fce1649181c in ??
#4 0x7fce164967d5 in ??
#5 0x7fce1649a341 in ??
#6 0x7fce1649b066 in ??
#7 0x7fce1649cb50 in ??
#8 0x7fce15b05b29 in ??
#9 0x7fce1507a118 in ??
#10 0x7fce147819df in ??
exiting (due to assertion failure)

BIND version used

BIND 9.14.4 (Stable Release) <id:ab4c496>
running on Linux x86_64 4.19.72-gentoo #1 SMP Mon Sep 16 19:54:42 CEST 2019
built by make with '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--docdir=/usr/share/doc/bind-9.14.4' '--htmldir=/usr/share/doc/bind-9.14.4/html' '--with-sysroot=/' '--libdir=/usr/lib64' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--enable-linux-caps' '--disable-dnsrps' '--disable-dnstap' '--disable-fixed-rrset' '--with-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem' '--with-dlz-stub' '--without-gssapi' '--without-libjson' '--without-dlz-ldap' '--without-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--without-python' '--without-libxml2' '--with-zlib' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-O2 -pipe -march=native -I/usr/include/db5.3' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed -L/usr/lib64' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig'
compiled by GCC 7.3.0
compiled with OpenSSL version: OpenSSL 1.0.2t  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.0.2t  10 Sep 2019
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

Steps to reproduce

  • configure a forwarding name server (in my case the name server from my ISP hetzner.de)
options {
        forwarders {
                213.133.98.97;
                213.133.99.99;
                213.133.100.100;
        }
}
  • dig @localhost 74.141.6.213.in-addr.arpa PTR

What is the current bug behavior?

The server crashes.

What is the expected correct behavior?

It should not crash.

Relevant configuration files

see above.

Relevant logs and/or screenshots

see above.

Possible fixes

unknown.

When using an older version of bind (9.12.3 e.g.) or another forwarder (8.8.8.8 e.g.), the bug does not occure.

Incident tracking page

https://wiki.isc.org/bin/view/Main/SecurityIncidentChecklist20196476QminAndForwarders

Edited by Michał Kępień