CVE-2016-2776: possible remote denial of service in bind package (named)

This document (7018100) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 GA - LTSS (SLES 12 GA LTSS)

SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 LTSS (SLES 11 SP3 LTSS)
SUSE Linux Enterprise Server 11 Service Pack 2 LTSS (SLES 11 SP2 LTSS)
SUSE Linux Enterprise Server 11 Service Pack 1 LTSS (SLES 11 SP1 LTSS)

SUSE Linux Enterprise Server 10 Service Pack 4 LTSS (SLES 10 SP4 LTSS)

Situation

On Wednesday, 28th of September 2016, ISC.org has published a "critical" BIND update.

A malicious attacked can abort the 'named' service with a malformed packet possibly causing a remote denial of service.

Access Control lists are likely not effective as a workaround for this problem, as the packet handling will trigger the assertion before the ACLs are handled. So if the 'named' service is listening on the network it can be aborted by this vulnerability.

This issue affects all BIND versions SUSE ships/shipped.

Resolution

SUSE has released patches for this issue:

SLES 12 SP1
bind = 9.9.9P1-46.1
bind-chrootenv = 9.9.9P1-46.1
bind-devel= 9.9.9P1-46.1
bind-doc = 9.9.9P1-46.1
bind-libs = 9.9.9P1-46.1
bind-libs-32-bit = 9.9.9P1-46.1
bind-utils = 9.9.9P1-46.1
SLES 12 GA LTSS
bind = 9.9.9P1-28.20.1
SLES 11 SP4
bind = 9.9.6P1-0.30.1
bind-chrootenv = 9.9.6P1-0.30.1
bind-devel = 9.9.6P1-0.30.1
bind-devel-32bit = 9.9.6P1-0.30.1
bind-doc = 9.9.6P1-0.30.1
bind-libs = 9.9.6P1-0.30.1
bind-libs-32bit = 9.9.6P1-0.30.1
bind-libs-x86 = 9.9.6P1-0.30.1
bind-utils = 9.9.6P1-0.30.1
SLES 11 SP3 LTSS
bind = 9.9.6P1-0.30.1
SLES 11 SP2 LTSS
bind = 9.9.6P1-0.30.1

SUSE highly recommends to patch impacted servers as soon as possible.

Note: For customers with valid LTSS entilements on older versions, SUSE has prepared PTFs that can be requested through Support. The versions for these are:

SLES 11 SP1 LTSS
bind = 9.6ESVR11W1-0.21.1
SLES 10 SP4 LTSS
bind = 9.6ESVR11P1-0.18.11
SLES 10 SP3 LTSS
bind = 9.3.4-1.59.1

Cause

Additional Information

CVE-2016-2776

Affected BIND versions are:

9.0.x -> 9.8.x
9.9.0->9.9.9-P2
9.10.0->9.10.4-P2
9.11.0a1->9.11.0rc1

Description:

Testing by ISC has uncovered a critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause 'named' to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria.
This assertion can be triggered even if the apparent source address is not allowed to make queries (i.e. does not match 'allow-query').

Impact:

All servers are vulnerable if they can receive request packets from any source.
CVSS Score: 7.8
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit nvd.nist.gov

Workaround:

No practical workaround exists at this stage

Active exploits:

No known active exploits.

Solution:

Upgrade to the patched release most closely related to your current version of BIND.

BIND 9 version 9.9.9-P3
BIND 9 version 9.10.4-P3
BIND 9 version 9.11.0rc2

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.