[CVE-2023-5517] Querying RFC 1918 reverse zones may cause an assertion failure when "nxdomain-redirect" is enabled
| Quick Links | |
|---|---|
| Incident Manager: | @greg |
| Deputy Incident Manager: | @matthijs |
| Public Disclosure Date: | 2024-02-13 |
| CVSS Score: | 7.5 |
| Security Advisory: | isc-private/printing-press!84 |
| Mattermost Channel: | CVE-2023-5517: "nxdomain-redirect" crashes for RFC 1918 queries |
| Support Ticket: | SF#1296 |
| Release Checklist: | #4515 (closed) & #4555 (closed) |
Earlier Than T-5
-
🔗 (IM) Pick a Deputy Incident Manager -
🔗 (IM) Respond to the bug reporter -
🔗 (SwEng) Ensure there are no public merge requests which inadvertently disclose the issue -
🔗 (IM) Assign a CVE identifier -
🔗 (SwEng) Update this issue with the assigned CVE identifier and the CVSS score -
🔗 (SwEng) Determine the range of product versions affected (including the Subscription Edition) -
🔗 (SwEng) Determine whether workarounds for the problem exist -
🔗 (SwEng)If necessary, coordinate with other parties -
🔗 (Support) Prepare "earliest" notification text and hand it off to Marketing -
🔗 (Marketing) Update "earliest" notification document in SF portal and send bulk email to earliest customers -
🔗 (Support) Create a merge request for the Security Advisory and include all readily available information in it -
🔗 (SwEng) Prepare a private merge request containing a system test reproducing the problem -
🔗 (SwEng) Notify Support when a reproducer is ready -
🔗 (SwEng) Prepare a detailed explanation of the code flow triggering the problem -
🔗 (SwEng) Prepare a private merge request with the fix -
🔗 (SwEng) Ensure the merge request with the fix is reviewed and has no outstanding discussions -
🔗 (Support) Review the documentation changes introduced by the merge request with the fix -
🔗 (SwEng) Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product -
🔗 (Support) Finish preparing the Security Advisory -
🔗 (QA) Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle -
🔗 (QA) (BIND 9 only) Reserve a block ofCHANGESplaceholders once the complete set of vulnerabilities fixed in a given release cycle is determined -
🔗 (QA) Merge the CVE fixes in CVE identifier order -
🔗 (QA) Prepare a standalone patch for the last stable release of each affected (and still maintained) product branch -
🔗 (QA) Prepare ASN releases (as outlined in the Release Checklist)
At T-5
-
🔗 (Marketing) Update the text on the T-5 (from the Printing Press project) and "earliest" ASN documents in the SF portal -
🔗 (Marketing) (BIND 9 only) Update the BIND -S information document in SF with download links to the new versions -
🔗 (Marketing) Bulk email eligible customers to check the SF portal -
🔗 (Marketing) (BIND 9 only) Send a pre-announcement email to the bind-announce mailing list to alert users that the upcoming release will include security fixes
At T-1
-
🔗 (First IM) Send notifications to OS packagers
On the Day of Public Disclosure
-
🔗 (IM) Grant QA & Marketing clearance to proceed with public release -
🔗 (QA/Marketing) Publish the releases (as outlined in the release checklist) -
🔗 (Support) (BIND 9 only) Add the new CVEs to the vulnerability matrix in the Knowledge Base -
🔗 (Support) Bump Document Version for the Security Advisory and publish it in the Knowledge Base -
🔗 (First IM) Send notification emails to third parties -
🔗 (First IM) Advise MITRE about the disclosed CVEs -
🔗 (First IM) Merge the Security Advisory merge request -
🔗 (IM) Inform original reporter (if external) that the security disclosure process is complete -
🔗 (Marketing) Update the SF portal to clear the ASN -
🔗 (Marketing) Email ASN recipients that the embargo is lifted
After Public Disclosure
-
🔗 (QA) Merge a regression test reproducing the bug into all affected (and still maintained) branches
Summary
named is repeatedly crashing just after starting up and traffic directed to the server.
BIND version used
9.16.42-S1
Steps to reproduce
`...pending```
options { nxdomain-redirect "example.com"; };dig IN PTR 10.10.10.10.in-addr.arpa @<server>What is the current bug behavior?
(It looks like there's a nanny script restarting named each time it stops)
07-Oct-2023 00:19:49.052 success resolving '1.80.168.192.in-addr.arpa.sury.org/PTR' after disabling qname minimization due to 'ncache nxdomain'
07-Oct-2023 00:19:49.052 ncache.c:528: REQUIRE((ncacherdataset->attributes & 0x00200000) != 0) failed
07-Oct-2023 00:19:49.056 /home/ondrej/Projects/bind9/lib/isc/.libs/libisc-9.19.18-dev.so(isc_backtrace_log+0x39) [0x7f289a44c9c4]
07-Oct-2023 00:19:49.056 /home/ondrej/Projects/bind9/bin/named/.libs/named(+0x2467e) [0x55b2f03e767e]
07-Oct-2023 00:19:49.056 /home/ondrej/Projects/bind9/lib/isc/.libs/libisc-9.19.18-dev.so(isc_assertion_failed+0xa) [0x7f289a44c598]
07-Oct-2023 00:19:49.056 /home/ondrej/Projects/bind9/lib/dns/.libs/libdns-9.19.18-dev.so(dns_ncache_getrdataset+0x174) [0x7f289a09c1cf]
07-Oct-2023 00:19:49.056 /home/ondrej/Projects/bind9/lib/ns/.libs/libns-9.19.18-dev.so(+0x2579e) [0x7f289a3f779e]
07-Oct-2023 00:19:49.056 /home/ondrej/Projects/bind9/lib/ns/.libs/libns-9.19.18-dev.so(+0x2d55d) [0x7f289a3ff55d]
07-Oct-2023 00:19:49.056 /home/ondrej/Projects/bind9/lib/ns/.libs/libns-9.19.18-dev.so(+0x2b144) [0x7f289a3fd144]
07-Oct-2023 00:19:49.056 /home/ondrej/Projects/bind9/lib/ns/.libs/libns-9.19.18-dev.so(+0x2f419) [0x7f289a401419]
07-Oct-2023 00:19:49.056 /home/ondrej/Projects/bind9/lib/ns/.libs/libns-9.19.18-dev.so(+0x2fa86) [0x7f289a401a86]
07-Oct-2023 00:19:49.056 /home/ondrej/Projects/bind9/lib/isc/.libs/libisc-9.19.18-dev.so(isc__async_cb+0xe4) [0x7f289a44c8c5]
07-Oct-2023 00:19:49.056 /lib/x86_64-linux-gnu/libuv.so.1(+0xf09d) [0x7f289a32709d]
07-Oct-2023 00:19:49.056 /lib/x86_64-linux-gnu/libuv.so.1(+0x22e3c) [0x7f289a33ae3c]
07-Oct-2023 00:19:49.056 /lib/x86_64-linux-gnu/libuv.so.1(uv_run+0xc4) [0x7f289a3279e4]
07-Oct-2023 00:19:49.056 /home/ondrej/Projects/bind9/lib/isc/.libs/libisc-9.19.18-dev.so(+0x40a68) [0x7f289a45fa68]
07-Oct-2023 00:19:49.056 /home/ondrej/Projects/bind9/lib/isc/.libs/libisc-9.19.18-dev.so(+0x4f8bc) [0x7f289a46e8bc]
07-Oct-2023 00:19:49.056 /home/ondrej/Projects/bind9/lib/isc/.libs/libisc-9.19.18-dev.so(+0x4f8e5) [0x7f289a46e8e5]
07-Oct-2023 00:19:49.056 /lib/x86_64-linux-gnu/libc.so.6(+0x89044) [0x7f28996fc044]
07-Oct-2023 00:19:49.056 /lib/x86_64-linux-gnu/libc.so.6(+0x1095fc) [0x7f289977c5fc]
07-Oct-2023 00:19:49.056 exiting (due to assertion failure)
Aborted (core dumped)What is the expected correct behavior?
Um.. not crashing!
Possible fixes
Disable nxdomain-redirect.
Edited by Michał Kępień