Bug 989528 - (CVE-2016-2775) VUL-1: CVE-2016-2775: bind: lwresd: A query name which is too long can cause a segmentation fault
(CVE-2016-2775)
VUL-1: CVE-2016-2775: bind: lwresd: A query name which is too long can cause ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/171057/
CVSSv2:RedHat:CVE-2016-2775:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-19 11:19 UTC by Andreas Stieger
Modified: 2020-09-24 14:58 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-19 11:19:37 UTC
https://kb.isc.org/article/AA-01393/

Although not commonly used, the BIND package contains provisions to allow systems to resolve names using the lightweight resolver protocol, a protocol similar to (but distinct from) the normal DNS protocols.  The lightweight resolver protocol can be used either by running the lwresd utility installed with BIND or by configuring named using the "lwres" statement in named.conf.

An error has been discovered in the BIND implementation of the lightweight resolver protocol affecting systems which use this alternate method to do name resolution.

CVE:               CVE-2016-2775
Document Version:  2.0
Posting date:      18 July 2016
Program Impacted:  BIND
Versions affected: 9.0.x -> 9.9.9-P1, 9.10.0->9.10.4-P1, 9.11.0a3->9.11.0b1
Severity:          Medium
Exploitable:       Remotely (if lwresd is configured to accept remote client connections)

Description: If the lightweight resolver is asked to resolve a query name which, when combined with a search list entry, exceeds the maximum allowable length, the server can terminate due to an error.

Impact: A server which is affected by this defect will terminate with a segmentation fault error, resulting in a denial of service to client programs attempting to resolve names.

CVSS Score:  5.4 if the server is configured to accept requests from the network.
CVSS Vector:  (AV:N/AC:H/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:N/A:C)

Workarounds: None.

Active exploits: No known active exploits, but the bug has been publicly disclosed in an open bug repository operated by Red Hat.

Fixed versions:
    BIND 9 version 9.9.9-P2
    BIND 9 version 9.10.4-P2
    BIND 9 version 9.11.0b2
    BIND 9 version 9.9.9-S3

Document Revision History:

1.0 Advance Notification, 14 July 2016
2.0 Public Disclosure, 18 July 2016


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1357803
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2775
http://seclists.org/oss-sec/2016/q3/106
https://kb.isc.org/article/AA-01393/74/CVE-2016-2775
Comment 2 Swamp Workflow Management 2016-07-19 22:00:15 UTC
bugbot adjusting priority
Comment 3 Andreas Stieger 2016-09-01 12:58:44 UTC
(In reply to Andreas Stieger from comment #1)

*Correction* of the previous evaluation:

The issue affects the standalone lwresd daemon as contained in the bind-lwresd package, which is only shipped on openSUSE.

The issue *also* affects named as contained in the bind package, which is shipped on SLES. It is affected when using the "lwres" statement in named.conf, which is not the default configuration.
Comment 6 Swamp Workflow Management 2017-01-09 12:58:31 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-01-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63332
Comment 11 Swamp Workflow Management 2017-04-13 04:10:43 UTC
SUSE-SU-2017:0998-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1020983,1033466,1033467,1033468,987866,989528
CVE References: CVE-2016-2775,CVE-2016-6170,CVE-2017-3136,CVE-2017-3137,CVE-2017-3138
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    bind-9.9.9P1-59.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    bind-9.9.9P1-59.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    bind-9.9.9P1-59.1
SUSE Linux Enterprise Server 12-SP2 (src):    bind-9.9.9P1-59.1
SUSE Linux Enterprise Server 12-SP1 (src):    bind-9.9.9P1-59.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    bind-9.9.9P1-59.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    bind-9.9.9P1-59.1
Comment 12 Swamp Workflow Management 2017-04-13 04:11:42 UTC
SUSE-SU-2017:0999-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1033466,1033467,1033468,987866,989528
CVE References: CVE-2016-2775,CVE-2016-6170,CVE-2017-3136,CVE-2017-3137,CVE-2017-3138
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    bind-9.9.9P1-28.34.1
SUSE Linux Enterprise Server 12-LTSS (src):    bind-9.9.9P1-28.34.1
Comment 13 Swamp Workflow Management 2017-04-13 04:12:50 UTC
SUSE-SU-2017:1000-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1033466,1033467,1033468,987866,989528
CVE References: CVE-2016-2775,CVE-2016-6170,CVE-2017-3136,CVE-2017-3137,CVE-2017-3138
Sources used:
SUSE OpenStack Cloud 5 (src):    bind-9.9.6P1-0.44.1
SUSE Manager Proxy 2.1 (src):    bind-9.9.6P1-0.44.1
SUSE Manager 2.1 (src):    bind-9.9.6P1-0.44.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    bind-9.9.6P1-0.44.1
SUSE Linux Enterprise Server 11-SP4 (src):    bind-9.9.6P1-0.44.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    bind-9.9.6P1-0.44.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    bind-9.9.6P1-0.44.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    bind-9.9.6P1-0.44.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    bind-9.9.6P1-0.44.1
Comment 14 Swamp Workflow Management 2017-04-19 19:10:25 UTC
openSUSE-SU-2017:1063-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1020983,1033466,1033467,1033468,987866,989528
CVE References: CVE-2016-2775,CVE-2016-6170,CVE-2017-3136,CVE-2017-3137,CVE-2017-3138
Sources used:
openSUSE Leap 42.2 (src):    bind-9.9.9P1-48.3.1
openSUSE Leap 42.1 (src):    bind-9.9.9P1-51.1
Comment 21 Swamp Workflow Management 2019-05-23 09:30:03 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2019-06-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64276
Comment 24 Alexandros Toptsoglou 2020-04-21 17:06:33 UTC
Done