BIND TKEY vulnerability (CVE-2015-5477)

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 4

Issue

  • How to fix the vulnerability in TKEY query processing, CVE-2015-5477 (BIND)

Resolution

This issue is addressed in the following updates:

  • Red Hat Enterprise Linux 7 (bind) - bind-9.9.4-18.el7_1.3
    This package is available via Errata RHSA-2015:1513.

  • Red Hat Enterprise Linux 6 (bind) - bind-9.8.2-0.37.rc1.el6_7.2
    This package is available via Errata RHSA-2015:1513.

  • Red Hat Enterprise Linux 5 (bind) - bind-9.3.6-25.P1.el5_11.3
    This package is available via Errata RHSA-2015:1514.

  • Red Hat Enterprise Linux 5 (bind97) - bind97-9.7.0-21.P2.el5_11.2
    This package is available via Errata RHSA-2015:1515.

NOTE : After installing the update, the BIND daemon (named) will be restarted automatically.

At this time, Red Hat does not provide BIND updates for Red Hat Enterprise Linux Extended Update Support (EUS) or Advanced Mission Critical Update Support (AUS). Customers who need EUS or AUS updates should contact Red Hat Customer Support.

The BIND TKEY functionality is unrelated to DNSSEC. All BIND servers running on Red Hat Enterprise Linux are potentially affected, including those which have been configured specifically to disable DNSSEC. There is no supported workaround to mitigate this vulnerability.

Root Cause

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

A flaw was found in the way BIND handled requests for TKEY DNS resource records. A remote attacker could use this flaw to make named (functioning as an authoritative DNS server or a DNS resolver) exit unexpectedly with an assertion failure via a specially crafted DNS request packet. (CVE-2015-5477)

Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Jonathan Foote as the original reporter.

Diagnostic Steps

Red Hat has received reports about ongoing exploitation of this vulnerability. In a default configuration, successful exploitation of this vulnerability will result in a log message like this, written to /var/log/messages:

Jul 27 22:17:28 localhost named[1746]: message.c:2311: REQUIRE(*name == ((void *)0)) failed, back trace

(Key parts are named, message.c, and REQUIRE(*name == ((void *)0)), the other aspects can vary depending on the BIND version.)

Afterwards, the named server process will terminate.

An exploitation attempt against an updated BIND version will not log anything, and the server will keep running.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments