Share with friends and colleagues on social media

A new vulnerability was discovered (CVE-2016-2776) which could possibly allow a remote denial of service attack.  SUSE already has patches available to fix this issue.

Some details on CVE-2016-2776:

Testing by ISC has uncovered a critical error condition which can occur when a nameserver is constructing a response.

A defect in the rendering of messages into packets can cause ‘named’ to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address is not allowed to make queries (i.e. does not match ‘allow-query’). All servers are vulnerable if they can receive request packets from any source.

Access Control lists are likely not effective as a workaround for this problem, as the packet handling will trigger the assertion before the ACLs are handled. So if the ‘named’ service is listening on the network it can be aborted by this vulnerability.

This issue affects all BIND versions SUSE ships/shipped.

How to protect your system:

Upgrade to the patched release most closely related to your current version of BIND.  As of writing this post, SUSE has released patches for this issue for:

  • SLES 12 SP1
    • bind = 9.9.9P1-46.1
    • bind-chrootenv = 9.9.9P1-46.1
    • bind-devel= 9.9.9P1-46.1
    • bind-doc = 9.9.9P1-46.1
    • bind-libs = 9.9.9P1-46.1
    • bind-libs-32-bit = 9.9.9P1-46.1
    • bind-utils = 9.9.9P1-46.1
  • SLES 12 GA LTSS
    • bind = 9.9.9P1-28.20.1
  • SLES 11 SP4
    • bind = 9.9.6P1-0.30.1
    • bind-chrootenv = 9.9.6P1-0.30.1
    • bind-devel = 9.9.6P1-0.30.1
    • bind-devel-32bit = 9.9.6P1-0.30.1
    • bind-doc = 9.9.6P1-0.30.1
    • bind-libs = 9.9.6P1-0.30.1
    • bind-libs-32bit = 9.9.6P1-0.30.1
    • bind-libs-x86 = 9.9.6P1-0.30.1
    • bind-utils = 9.9.6P1-0.30.1
  • SLES 11 SP3 LTSS
    • bind = 9.9.6P1-0.30.1
  • SLES 11 SP2 LTSS
    • bind = 9.9.6P1-0.30.1

SUSE highly recommends to patch impacted systems as soon as possible.

Note: For customers with valid LTSS entitlements on older versions SUSE has prepared PTFs that can be requested through Support.

Affected BIND versions:

  • 9.0.x -> 9.8.x
  • 9.9.0->9.9.9-P2
  • 9.9.3-S1->9.9.9-S3
  • 9.10.0->9.10.4-P2
  • 9.11.0a1->9.11.0rc1

 


Share with friends and colleagues on social media

Category: Expert Views, SUSE Linux Enterprise, Technical Solutions
This entry was posted Tuesday, 27 September, 2016 at 11:39 am
You can follow any responses to this entry via RSS.

Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet