[CVE-2023-2911] Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0

Quick Links	🔗
Incident Manager:	@tkrizek
Deputy Incident Manager:	@ebf
Public Disclosure Date:	2023-06-21
CVSS Score:	7.5
Security Advisory:	https://gitlab.isc.org/isc-private/printing-press/-/merge_requests/56
Mattermost Channel:	CVE-2023-2911: crash with "stale-answer-client-timeout 0;"
Support Ticket:	N/A
Release Checklist:	#4123 (closed)
Post-mortem Etherpad:	postmortem-2023-06

💡 Click here (internal resource) for general information about the security incident handling process.

Earlier Than T-5

• 🔗 (IM) Pick a Deputy Incident Manager
• 🔗 (IM) Respond to the bug reporter
• 🔗 (IM) Create an Etherpad for post-mortem
• 🔗 (SwEng) Ensure there are no public merge requests which inadvertently disclose the issue
• 🔗 (IM) Assign a CVE identifier
• 🔗 (SwEng) Update this issue with the assigned CVE identifier and the CVSS score
• 🔗 (SwEng) Determine the range of product versions affected (including the Subscription Edition)
• 🔗 (SwEng) Determine whether workarounds for the problem exist
• 🔗 (SwEng) If necessary, coordinate with other parties
• 🔗 (Support) Prepare and send out "earliest" notifications
• 🔗 (Support) Create a merge request for the Security Advisory and include all readily available information in it
• 🔗 (SwEng) Prepare a private merge request containing a system test reproducing the problem
• 🔗 (SwEng) Notify Support when a reproducer is ready
• 🔗 (SwEng) Prepare a detailed explanation of the code flow triggering the problem
• 🔗 (SwEng) Prepare a private merge request with the fix
• 🔗 (SwEng) Ensure the merge request with the fix is reviewed and has no outstanding discussions
• 🔗 (Support) Review the documentation changes introduced by the merge request with the fix
• 🔗 (SwEng) Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product
• 🔗 (Support) Finish preparing the Security Advisory
• 🔗 (QA) Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
• 🔗 (QA) (BIND 9 only) Reserve a block of CHANGES placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
• 🔗 (QA) Merge the CVE fixes in CVE identifier order
• 🔗 (QA) Prepare a standalone patch for the last stable release of each affected (and still maintained) product branch
• 🔗 (QA) Prepare ASN releases (as outlined in the Release Checklist)

At T-5

• 🔗 (Support) Send ASN to eligible customers
• 🔗 (Support) (BIND 9 only) Send a pre-announcement email to the <em>bind-announce</em> mailing list to alert users that the upcoming release will include security fixes

At T-4

• 🔗 (Support) Verify that all ASN-eligible customers have received the notification email

At T-1

• 🔗 (Support) Verify that any new or reinstated customers have received the notification email
• 🔗 (First IM) Send notifications to OS packagers

On the Day of Public Disclosure

• 🔗 (IM) Grant Support clearance to proceed with public release
• 🔗 (Support) Publish the releases (as outlined in the release checklist)
• 🔗 (Support) (BIND 9 only) Update vulnerability matrix in the Knowledge Base
• 🔗 (Support) Bump Document Version for the Security Advisory and publish it in the Knowledge Base
• 🔗 (First IM) Send notification emails to third parties
• 🔗 (First IM) Advise MITRE about the disclosed CVEs
• 🔗 (First IM) Merge the Security Advisory merge request
• 🔗 (IM) Inform original reporter (if external) that the security disclosure process is complete
• 🔗 (Support) Inform customers a fix has been released

After Public Disclosure

• 🔗 (First IM) Organize post-mortem meeting and make sure it happens
• 🔗 (Support) Close support tickets
• 🔗 (QA) Merge a regression test reproducing the bug into all affected (and still maintained) branches

---

This crash is very easy to reproduce, at least on my Debian 11 virtual: Linux BIND2 5.10.0-21-arm64 #1 SMP Debian 5.10.162-1 (2023-01-21) aarch64 GNU/Linux

Create file called dataset with contents rpzcname.myctl.com. A Execute ./queryperf -d dataset -l 300 -T 1000 -u 500 -s 127.0.0.1 -v -c against BIND 9.18.15 with the following configuration:

controls {
	inet 127.0.0.1 port 953 allow {
		127.0.0.1/32;
	} keys {
		"rndc-key";
	};
};
options {
	directory "/usr/local/BIND/9.16.37/var/cache/bind";
	pid-file "/usr/local/BIND/9.16.37/var/run/named.pid";
	querylog no;
	recursive-clients 500;
	serial-query-rate 200;
	tcp-clients 500;
	transfers-per-ns 10;
	version "unknown";
	check-names slave ignore;
	stale-answer-enable yes;
	stale-answer-client-timeout 0;
	stale-answer-ttl 31;
	stale-cache-enable yes;
	stale-refresh-time 90;
	allow-transfer  {
		"localhost";
	};
	multi-master yes;
	notify no;
};
statistics-channels {
	inet 0.0.0.0 port 8080;
};
key "rndc-key" {
	algorithm "hmac-sha256";
	secret "????????????????????????????????????????????";
};

named -V output:

BIND 9.18.15 (Extended Support Version) <id:f53a076>
running on Linux aarch64 5.10.0-21-arm64 #1 SMP Debian 5.10.162-1 (2023-01-21)
built by make with  '--enable-dnstap' '--with-libxml2' '--with-json-c' '--with-zlib' '--enable-full-report' '--prefix=/usr/local/BIND/9.18.15'
compiled by GCC 10.2.1 20210110
compiled with OpenSSL version: OpenSSL 1.1.1n  15 Mar 2022
linked to OpenSSL version: OpenSSL 1.1.1n  15 Mar 2022
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libnghttp2 version: 1.43.0
linked to libnghttp2 version: 1.43.0
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.3.3
linked to protobuf-c version: 1.3.3
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): no

default paths:
  named configuration:  /usr/local/BIND/9.18.15/etc/named.conf
  rndc configuration:   /usr/local/BIND/9.18.15/etc/rndc.conf
  DNSSEC root key:      /usr/local/BIND/9.18.15/etc/bind.keys
  nsupdate session key: /usr/local/BIND/9.18.15/var/run/named/session.key
  named PID file:       /usr/local/BIND/9.18.15/var/run/named/named.pid
  named lock file:      /usr/local/BIND/9.18.15/var/run/named/named.lock

See attached log debug log file from daemon start until crash in debug.log

See attached stack trace in gdb.txt

I also have a core file and could gather all of the details (binary / libraries etc...) if needed.

Other observation, once these log messages appear:

24-May-2023 18:06:16.022 rpz.myctl.com stale answer used, an attempt to refresh the RRset will still be made

BIND can only be stopped with a kill -9

also gave it a try with 9.16.37 on the same virtual. Same result of segfault.