[CVE-2022-3080] BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly

CVE-specific actions

• Assign a CVE identifier
• Determine CVSS score
• Determine the range of BIND versions affected (including the Subscription Edition)
• Determine whether workarounds for the problem exists
• Create a draft of the security advisory and put the information above in there
• Prepare a detailed description of the problem which should include the following by default:
  • instructions for reproducing the problem (a system test is good enough)
  • explanation of code flow which triggers the problem (a system test is <em>not</em> good enough)
• Prepare a private merge request containing the following items in separate commits:
  • a test for the issue (may be moved to a separate merge request for deferred merging)
  • a fix for the issue
  • documentation updates (<code>CHANGES</code>, release notes, anything else applicable)
• Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions
• Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff
• Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description)
• Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch

Release-specific actions

• Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
• Reserve a block of CHANGES placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
• Ensure the merge requests containing CVE fixes are merged into security-* branches in CVE identifier order

Post-disclosure actions

• Merge a regression test reproducing the bug into all affected (and still maintained) BIND branches

Incident tracking

https://gitlab.isc.org/isc-private/bind9/-/issues/58

---

As reported to Security Officer:

Summary

Confirmed behaviour in sefl-built bind 9.16.31 and in Bind 9.18.1 installed from official Ubuntu repo.

named constantly crashes with stale-cache enabled and option stale-answer-client-timeout set to 0 This behavior constantly reproducible with A requests for CNAME record.

test-cname.myctl.com 30 IN CNAME test-cname.myctl.com.
test-cname-a.myctl.com 60 IN A 127.0.0.1

Trace:

Aug 30 16:26:18 ip-172-31-0-120 named[15571]: test-cname.myctl.com stale answer used, an attempt to refresh the RRset will still be made
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: resolver priming query complete: success
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: test-cname.myctl.com stale answer used, an attempt to refresh the RRset will still be made
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: query.c:8199: INSIST(qctx->rdataset == ((void *)0) || qctx->qtype == ((dns_rdatatype_t)dns_rdatatype_dname)) failed, back trace
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /usr/sbin/named(+0x1f0f7) [0x55796ab880f7]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /lib/x86_64-linux-gnu/libisc-9.18.1-1ubuntu1.1-Ubuntu.so(isc_assertion_failed+0x10) [0x7fb9dd89a560]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /lib/x86_64-linux-gnu/libns-9.18.1-1ubuntu1.1-Ubuntu.so(+0x2633f) [0x7fb9dd63833f]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /lib/x86_64-linux-gnu/libns-9.18.1-1ubuntu1.1-Ubuntu.so(+0x27785) [0x7fb9dd639785]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /lib/x86_64-linux-gnu/libns-9.18.1-1ubuntu1.1-Ubuntu.so(+0x2804a) [0x7fb9dd63a04a]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /lib/x86_64-linux-gnu/libisc-9.18.1-1ubuntu1.1-Ubuntu.so(isc_task_run+0x2b0) [0x7fb9dd8c2aa0]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /lib/x86_64-linux-gnu/libisc-9.18.1-1ubuntu1.1-Ubuntu.so(+0x2572d) [0x7fb9dd88e72d]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /lib/x86_64-linux-gnu/libisc-9.18.1-1ubuntu1.1-Ubuntu.so(+0x25e05) [0x7fb9dd88ee05]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /lib/x86_64-linux-gnu/libisc-9.18.1-1ubuntu1.1-Ubuntu.so(+0x265b7) [0x7fb9dd88f5b7]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /lib/x86_64-linux-gnu/libuv.so.1(+0x91ed) [0x7fb9dd1211ed]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /lib/x86_64-linux-gnu/libuv.so.1(+0x2511e) [0x7fb9dd13d11e]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /lib/x86_64-linux-gnu/libuv.so.1(uv_run+0x678) [0x7fb9dd126c88]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /lib/x86_64-linux-gnu/libisc-9.18.1-1ubuntu1.1-Ubuntu.so(+0x25e9e) [0x7fb9dd88ee9e]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /lib/x86_64-linux-gnu/libisc-9.18.1-1ubuntu1.1-Ubuntu.so(isc__trampoline_run+0x1a) [0x7fb9dd8be7aa]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /lib/x86_64-linux-gnu/libc.so.6(+0x94b43) [0x7fb9dcd47b43]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: /lib/x86_64-linux-gnu/libc.so.6(+0x126a00) [0x7fb9dcdd9a00]
Aug 30 16:26:18 ip-172-31-0-120 named[15571]: exiting (due to assertion failure)
Aug 30 16:26:19 ip-172-31-0-120 systemd[1]: named.service: Main process exited, code=killed, status=6/ABRT

BIND version used

/sbin/named -V

BIND 9.18.1-1ubuntu1.1-Ubuntu (Stable Release) id: running on Linux x86_64 5.15.0-1017-aws #21 (closed)-Ubuntu SMP Fri Aug 5 11:10:45 UTC 2022 built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir={prefix}/include' '--mandir={prefix}/share/man' '--infodir={prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir={prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/bind9-IeZYTB/bind9-9.18.1=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' compiled by GCC 11.2.0 compiled with OpenSSL version: OpenSSL 3.0.2 15 Mar 2022 linked to OpenSSL version: OpenSSL 3.0.2 15 Mar 2022 compiled with libuv version: 1.43.0 linked to libuv version: 1.43.0 compiled with libnghttp2 version: 1.43.0 linked to libnghttp2 version: 1.43.0 compiled with libxml2 version: 2.9.13 linked to libxml2 version: 20913 compiled with json-c version: 0.15 linked to json-c version: 0.15 compiled with zlib version: 1.2.11 linked to zlib version: 1.2.11 linked to maxminddb version: 1.5.2 threads support is enabled

default paths: named configuration: /etc/bind/named.conf rndc configuration: /etc/bind/rndc.conf DNSSEC root key: /etc/bind/bind.keys nsupdate session key: //run/named/session.key named PID file: //run/named/named.pid named lock file: //run/named/named.lock geoip-directory: /usr/share/GeoIP

also confirmed in 9.16.31

Steps to reproduce

Bind installed on freshly installed Ubuntu Ubuntu 22.04.1 LTS from official repo Run command: while true; do dig +tries=1 +timeout=10 @127.0.0.1 test-cname.myctl.com. A; done

After several seconds named dies with error: query.c:8199: INSIST(qctx->rdataset == ((void *)0) || qctx->qtype == ((dns_rdatatype_t)dns_rdatatype_dname)) failed, back trace

Config

# cat /etc/bind/named.conf.options
options {
	directory "/var/cache/bind";

	dnssec-validation no;
        stale-cache-enable yes;
        stale-answer-enable yes;
        stale-answer-client-timeout 0;

	listen-on-v6 { any; };
};